Citi Breach Builds Momentum for Federal Data Security Standards

[Jake Kouns <jkouns () opensecurityfoundation org>]

http://www.insurancenetworking.com/news/insurers_cyber_crime_federal_data_standard-28225-1.html

The call for a national standard for when and how banks, insurers and
financial services companies must notify customers of a data breach
beefs up penalties for cyber crimes by synchronizing them with other
laws, such as the Racketeering Influenced and Corrupt Organizations
Act.

The Obama administration's push to create a national standard for when
and how banks and other companies must notify customers of a data
breach appears to be gaining momentum.

Financial services representatives told a Senate panel on Tuesday they
would support the White House’s proposal, which would, among other
things, combine a patchwork of 47 state laws on the issue into a
federal standard.

Senate Banking Committee Chairman Tim Johnson also appeared supportive
of strengthening cybersecurity laws, saying recent high profile data
breaches within the financial services sector and elsewhere underscore
the importance of the issue.

“Breaches are disruptive and raise the potential for financial fraud,
identity theft and, potentially, severe threats to our national
economic security,” Johnson said.

Citigroup Inc. was the most recent high-profile data breach, after it
disclosed that a hacker had accessed customer information for more
than 360,000 credit card accounts last month.

Lawmakers have criticized Citigroup for waiting nearly a month to
disclose the breach. The bank said it discovered the breach on May 10
during routine maintenance, but didn’t begin notifying customers until
June 3.

Sen. Robert Menendez, D-N.J., said there have been 288 publicly
disclosed breaches at financial services companies in the last six
years that exposed at least 83 million customer records.

“I’m concerned about what are the financial institutions doing, number
one, to enhance their position against cyber security attacks, and
number two, when there is a breach, what are they doing in their
fiduciary responsibility to notify their customers of those breaches,”
said Menendez, who introduced his own cybersecurity bill earlier this
month.

He pressed witnesses to say whether Citi should have come forward sooner.

Leigh Williams, the president of Bits, the technology policy division
of the Financial Services Roundtable, said banks have a responsibility
to notify customers of breaches as quickly as possible.

“I think that as soon as an institution understands what has occurred,
they have an obligation to notify their regulators under regulatory
rules,” Williams said. “And they have a fiduciary and a business
responsibility to notify customers if there is any way that the
customer can begin to take action to protect themselves.”

Williams said the industry has invested tens of billions of dollars in
cybersecurity and is continually improving its ability to repel cyber
attacks.

But Marc Rotenberg, the executive director of the Electronic Privacy
Information Center and a law professor at Georgetown University, said
customers are seeing more and more data breach notifications.

“These problems are going to get worse,” Rotenberg said. “As more
sensitive data moves into the cloud, we become more dependent on
electronic financial records, and more companies store vast amounts of
consumer data on remote servers, the risk that personal data will be
improperly disclosed or accessed will necessarily increase.”

Rotenberg said any new cybersecurity legislation should apply breach
notification requirements to financial institutions, require
authentication techniques that reduce risk to consumers and should not
preempt stronger state laws.

The administration proposal, released May 12, would beef up penalties
for cyber crimes by synchronizing them with other laws, such as the
Racketeering Influenced and Corrupt Organizations Act, or RICO, which
is often used to fight organized crime but doesn’t apply to cyber
crimes.

It would provide voluntary federal assistance to states and local
governments to prevent cyber attacks, and would coordinate information
sharing among them. It would also direct the Department of Homeland
Security to identify critical infrastructure, such as electricity
grids and the financial sector, and work with industries to develop
cybersecurity plans.

Stuart Pratt, the president and chief executive of the Consumer Data
Industry Association, stressed that any legislative proposals should
align with existing laws and regulations.

“It is important for new laws not to impinge on frameworks of law
which already establish the necessary focus on data security,” Pratt
said. “Such conflicts are not inevitable and do not have to impede the
passage of new cybersecurity protections.”

For example, Pratt said the group favors a national breach
notification standard, but said lawmakers should avoid “arbitrarily
overwriting existing national standards” already in effect, such as
guidance already issued by bank regulators.

Williams said Bits also supported the administration’s plan.

[..]
_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://datalossdb.org/mailing_list

Learn encryption strategies that manage risk and shore up compliance.
Download Article 1 of CREDANT Technologies' The Essentials Series:
Endpoint Data Encryption That Actually Works
http://credant.com/campaigns/realtime2/gap-LP1/