Senator: New cybersecurity regulations needed for banks
- 22 June, 2011 04:26
Current regulations aren't enough to warn customers and protect them against data breaches at financial institutions, one U.S. senator said during a hearing Tuesday.
Senator Robert Menendez, a New Jersey Democrat, questioned why Citigroup took about a month to report a breach affecting more than 360,000 credit card accounts in North America. Citigroup, which confirmed the breach in early June, never notified Menendez's chief of staff that his account was compromised, Menendez said.
The staffer attempted to use his credit card and was declined, then called Citigroup to discover his account was hacked, Menendez said. "It seems to me there is a fiduciary responsibility by the [financial] entity to proactively tell their customer that has happened," he said during a Senate Banking, Housing and Urban Affairs Committee hearing.
Citigroup did not testify at the hearing, and a company representative did not immediately return a phone message seeking comment on Menendez's criticism. But Leigh Williams, president of the BITS division of The Financial Services Roundtable, said he has "no doubt" that banks and other financial services companies have a responsibility to notify customers of breaches.
"Do you think a month to notify customers is an appropriate time frame?" Menendez asked.
"I think that as soon as an institution understands what has occurred, they have an obligation to notify their regulators, under regulatory rules, and they have a fiduciary and a business responsibility to notify customers if there's any way those customers can begin to take action to protect themselves," Williams said.
The banking industry is "constantly" improving its cybersecurity efforts, Williams said.
In the past six years, U.S. financial services companies have reported 288 data breaches, with 83 million records compromised, Menendez said. He questioned whether banks were doing enough to protect their customer accounts.
Menendez called for a national law requiring breached businesses to notify affected customers. More than 45 states have breach notification laws, making it difficult for businesses to comply with all of them, said Stuart Pratt, president and CEO of the Consumer Data Industry Association, a trade group representing data brokers.
Menendez also called on the Senate to pass his Cybersecurity Enhancement Act, which would allocate new money for cybersecurity research and scholarships.
But Marc Rotenberg, president of the Electronic Privacy Information Center (EPIC), warned lawmakers to avoid preempting strong state laws with a weak federal data-breach notification law. Rotenberg questioned Williams' assurances that financial institutions are serious about cybersecurity.
"The experience of consumers today is actually very different," Rotenberg said. "It may be the case that financial institutions are spending a lot of money to safeguard this data, but what consumers are seeing is more and more breaches. We have a problem, and this problem is getting worse."
Existing regulations may not help small banks better protect data, because of limited resources, added Kevin Streff, director of the National Center for Protection of Financial Infrastructure at Dakota State University in Madison, South Dakota.
Small banks and small businesses are the "soft underbelly of underprotected targets," he said. About 70 percent of small and medium-sized businesses lack basic cybersecurity controls, Streff added.
Small banks can't afford to pay "six-figure salaries" to IT security professionals and often add cybersecurity responsibilities to a staff member's duties, Streff said. The U.S. government can help by providing funding for training for cybersecurity professionals, he said.
Grant Gross covers technology and telecom policy in the U.S. government for The IDG News Service. Follow Grant on Twitter at GrantGross. Grant's e-mail address is email@example.com.
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.
- Multi-Factor Authentication; Current Usage and Trends
- International Mobile Communications: How To Balance Connectivity, Productivity And Cost Concerns
- Eight Simple Steps to Boost Campaign Results Using Predictive Modelling
- Virtual Server Backup Software Buyer’s Guide
- Case Study: Worldwide Collaboration by Design
Cloud debate now about speed and sophistication
Yahoo Mail still down for some users, after an attempted fix
Queensland government to provide 200 services online by 2015
CIOs need to get their house in order, CFO panel says
Is Data Complexity Blinding Your IT Decision-Making?
Why Deliver Customer Service in the Cloud?
In a volatile and hyper-competitive market, delivering exceptional multichannel customer service consistently is essential. But delivering world-class service on tight budgets and to even tighter deadlines is a tough challenge for even the largest organisations. In this whitepaper, we look at how successful organisations choose to deliver customer service in the cloud.
Complexity Ate My Budget
It’s high time we tamed the monster we created! Against a backdrop of sustained and uncontrollable data growth, most of today’s operational problems revolve around backup and recovery. Understanding the hidden costs and implications for data protection strategies is critical, but the complexity of the nebulous and amorphous cloud can make everything hazy. This white paper breaks it down to different dimensions of virtualisation and how to deliver the productivity and flexibility it promises.
Pathways Leadership Development Program Overview 2014