5:19am

Wed February 5, 2014
All Tech Considered

Lawmakers Look To Prevent More Target-Sized Data Breaches

Originally published on Wed February 5, 2014 10:40 am

The sheer size and frequency of the recent credit card data breaches at Target, Neiman Marcus and other companies are prompting lawmakers to consider legislative options to keep sophisticated cyberthefts from happening.

"If anything, we've learned from this major, major breach that we can no longer do nothing," said Sen. Amy Klobuchar, D-Minn. "We have to take action."

The bad guys who stole data from as many as 110 million Target customers are so good at what they do that even the most modern security programs couldn't detect them. If security software can't keep up, hopes for regulation to stop fraud are slim.

"This is kind of an ongoing war, and the types of threats are changing all the time," said Fran Rosch, a vice president at the security software company Symantec. He appeared Tuesday before the Senate Judiciary panel, which explored legislative options in data security.

"Information's everywhere," Rosch said. "It's in our data centers, it's in the cloud. It's in software that sits in the cloud and on our mobile devices. So the threats are exploding, but so are the attack surfaces."

Lawmakers are considering a few policy changes to better protect consumers, such as pushing for more secure credit and debit cards. American credit cards have already failed to keep up with European and Asian card technology, which feature encrypted chips. The chips prevent cyberthieves from reusing any data after they steal it.

"What's stopping our country when they're doing this in Europe?" Klobuchar asked.

Part of the problem is the complexity of the American financial system, which has so many competing card issuers, banks, retailers and business owners. Adopting systemic change to the way purchases are made would cost retailers and banks hundreds of millions of dollars.

But the recent breaches were so costly that both banks and retailers are backing a changeover to chip technology together.

"All of us have to move together simultaneously; it's a shared responsibility," said Target Chief Financial Officer John Mulligan. "The financial industry, obviously they're, in general, the issuers of the cards. So again, in partnership with them, we need to move together collectively so the whole system is employing chip and PIN technology."

Visa and Mastercard are aiming to have chips in the majority of U.S. cards by October 2015, but it could be even longer before retail outlets change their card readers. Lawmakers are asking what they could do to speed up the change.

Another plan would be to tighten data theft disclosure and security standards, an option pushed by Sen. Al Franken, D-Minn.

"Right now there's no federal law setting out clear security standards that merchants and data brokers need to meet, and there's no federal law requiring companies to tell their customers when their data has been stolen," Franken said.

Franken and Sen. Patrick Leahy, D-Vt., are co-sponsoring the Personal Data Privacy and Security Act, which includes those disclosure and security standards. Both retailers and security companies who appeared before senators Tuesday signaled support.

But the fast-changing tech terrain makes some lawmakers wary of any attempt at national standards.

"I'm always a little bit concerned about creating a new federal regulatory authority," said Sen. Mike Lee, R-Utah, "in part because sometimes when you establish something like that it can quickly become ineffective, especially if it's in an area like this one."

Outside a Washington, D.C., Target store Tuesday, Joshua Sands said he's still a loyal Target shopper — but he's taking personal responsibility for his security.

"It's like being on the Internet, when they tell you you should always have an anti-virus on your computer," he said. "You always assume somebody's trying to get in. You have to be vigilant for yourself. You can't leave it up to someone else to handle your security."

Until more systemic changes are put in place, security experts say the attacks on our payment systems are expected to continue.

Copyright 2014 NPR. To see more, visit http://www.npr.org/.

Transcript

STEVE INSKEEP, HOST:

It's growing harder to get your brain around how enormous last year's thefts of credit card data really were.

RENEE MONTAGNE, HOST:

We learned in December information was swiped from millions of customers at Target.

INSKEEP: Now we know that breach was so big, it put the personal data of up to 1 in 3 Americans at risk for fraud.

MONTAGNE: Nor were the crimes limited to Target. Cyber thefts affected consumers at Neiman Marcus and other chains.

INSKEEP: NPR's Elise Hu reports on what lawmakers want to do now.

ELISE HU, BYLINE: The bad guys who stole data from as many as 110 million Target customers were so sophisticated that even the most modern security programs couldn't detect them. So Joshua Sands, who's still a loyal Target shopper, says he watching his transactions closely.

JOSHUA SANDS: It's like being on the Internet, you know, when they tell you, you should have an anti-virus on your computer. You always assume somebody's trying to get in.

HU: Cybersecurity companies say that's about right. Data theft at the terminals where you swipe your credit cards is getting unstoppable.

(SOUNDBITE OF SENATE PANEL HEARING) CHATTER)

FRAN ROSCH: This is kind of an ongoing war, and the types of threats are changing all the time.

HU: Fran Rosch represents the security software company Symantec. He appeared before a Senate panel on Tuesday.

ROSCH: Information's everywhere. It's in our data centers. It's in the Cloud. It's in, you know, software that sits in the Cloud, on mobile devices. So the threats are exploding, but so are the attack surface.

HU: As threats change with the speed of technology, lawmakers still move at the speed they always have. But as Minnesota Sen. Amy Klobuchar said, there's now more willingness to do something.

SEN. AMY KLOBUCHAR: If anything, we've learned from this major, major breach that we can no longer do nothing; that we have to take action.

HU: One action could be requiring more secure cards. American credit cards have already failed to keep up with European and Asian card technology, which feature encrypted chips. Chips prevent cyber thieves from reusing any stolen data after they steal it.

Again, Sen. Klobuchar.

KLOBUCHAR: Maybe there will be some other new, great thing that comes along. But what's stopping our country when they're doing this in Europe?

HU: U.S. cards haven't adapted sooner because it would cost retailers and banks hundreds of millions of dollars to change cards and card readers. But the recent breaches were so big that both banks and retailers are backing a changeover to chip technology together.

JOHN MULLIGAN: All of us need to move together simultaneously. It's a shared responsibility.

HU: Target's chief financial officer, John Mulligan.

MULLIGAN: The financial industry - obviously - they're, in general, the issuers of the cards. And so, again, in partnership with them, we need to move together collectively so that the whole system is employing chip and PIN technology.

HU: Visa and MasterCard are aiming to have chips in the majority of U.S. cards by fall of next year. But it could be longer before retail outlets change their card readers. So lawmakers are considering what they can do to speed up the change. Other options on the table deal with data theft disclosure and security standards.

Minnesota Sen. Al Franken.

SEN. AL FRANKEN: Right now, there's no federal law setting out clear security standards that merchants and data brokers need to meet. And there's no federal law requiring companies to tell their customers when their data has been stolen.

HU: Franken is co-sponsoring a bill to create those requirements, and both retailers and security companies signaled support. But the fast-changing tech terrain makes some lawmakers wary of any attempt at national standards.

Utah Sen. Mike Lee.

SEN. MIKE LEE: I'm always a little bit concerned about creating a new federal regulatory authority, in part because sometimes, once you establish something like that, it quickly becomes ineffective - especially if it's in an area like this one.

HU: The Target shopper, Joshua Sands, says he'll be watching his own data closely.

SANDS: You have to be vigilant for yourself, you know. You can't leave it up to someone else to, you know, handle your security.

HU: Until more systemic changes are put in place, the attacks on our payment systems are expected to continue.

Elise Hu, NPR News. Transcript provided by NPR, Copyright NPR.

Related Program