Eric Holder urges new laws for data breaches after Target attack

In the wake of data breaches at Target and Neiman Marcus, Attorney General Eric Holder called on Congress Monday to enact legislation requiring retailers to be more transparent about consumer data hacks. What other changes are being made to tighten up security on shopper data? 

|
Rick Wilking/Reuters
The sign outside a Target store in Arvada, Colo. Attorney General Eric Holder is urging Congress to introduce legislation to create "a strong national standard" requiring retailers to quickly alert consumers and law enforcement when shopper data is compromised.

The story is now well known: In the thick of this past holiday shopping season, data thieves hacked into retailer Target's computer system and stole sensitive financial information, including the credit-card numbers, personal identification numbers, and e-mail addresses of as many as 110 million customers.

Soon after, luxury department store chain Neiman Marcus revealed it had suffered a similar breach, affecting as many as 350,000 shoppers, and rumors are swirling that more retailers may soon reveal they have been the victim of cyberattacks, too. The issue has become such a big concern that Washington is getting involved. In a video address Monday, Attorney General Eric Holder urged Congress to introduce legislation to create "a strong national standard" requiring retailers to quickly alert consumers and law enforcement when shopper data is compromised. 

The new laws should  “enable law enforcement to better investigate these crimes – and hold compromised entities accountable when they fail to keep sensitive information safe,” Holder said in his weekly address.

The rash of security breaches is a problem with the potential to get much worse, experts say. Mathematically, chances are you've already been a victim of identity theft, even if you've never shopped at Target or Neiman Marcus. "Seven-hundred million pieces of electronic personal data have been stolen over the last 36 months, which means everyone in the United States has had some part of their identity stolen," says Haywood Talcove, chief executive officer for LexisNexis Government, a subsidiary of the national database company based in Washington, D.C. "The question is whether or not it's been used."

How bad is it?

The Target and Neiman Marcus breaches are just the latest (and largest) examples of a type of crime that has exploded into a full-scale industry. Credit-card data theft surged 50 percent between 2005 and 2010 (the latest years for which figures are available, according to the US Justice Department). Millions of credit-card numbers are on sale at any given time on black market websites, and hackers have realized that they can maximize profits by breaking into systems of major companies, such as Target, and stealing millions of pieces of data in one fell swoop. Visa and MasterCard had similar breaches in 2012.

Pulling off these crimes is cheap: The malware used to break into Target's system was recently traced back to a high-school-age Russian programmer, who sold it for $2,000. Aside from the obvious financial impact on customers, retailers, and financial firms, the effects of such crimes can reach into the government sector.

"There's a big opportunity for tax ID fraud," says Mr. Talcove. His department at LexisNexis holds contracts with state governments in Georgia, Louisiana, and Indiana to use big data and analytics to identify sketchy tax returns. Fraudsters use personal information gained from data breaches to file fake tax returns in different states to collect refunds, he says, and it's harder to spot than credit-card fraud because "it never shows up on a credit report."

New laws, safer chip technology

The Target debacle, and others like it, could urge US retailers to invest in more consumer data protection. Part of the solution cited by many experts is for merchants and banks to phase out magnetic-stripe credit cards and convert to computer chip-based card technology (also known as EMV), already in wide use in Europe and other parts of the world. "When you use a mag-stripe card, you swipe it, and data is read by a reader, and it's the same every time the card is swiped," says Martin Ferenczi, North American president of Oberthur Technologies, a global digital security firm. "EMV allows it to be dynamic, so every transaction has a different set of data. If the same set of data is reused, the chip recognizes that and stops the transaction."

Chip-enabled cards have helped reduce fraud in Britain and Canada. Mr. Ferenczi argues that the US remains particularly vulnerable to hacks because of its delay in adopting the technology.

"EMV is not completely foolproof," warns Cynthia James, an author on cybersecurity and the director of business development at Kaspersky Lab, an anti-malware company based in Russia, via e-mail. "Those cards can be duped, too, it just costs so much that it's prohibitive [to the criminals]."

The high-profile nature of the Target and Neiman Marcus breaches may speed along the conversion process. Visa and MasterCard recently pledged to completely convert to an EMV system in the US by 2015, and Target is investing $100 million to adopt the technology.

On the legislative end, 46 states already have data breach notification laws in place, but there is no national standard for letting consumers know about security breaches. Several data security proposals are being batted around the House and the Senate, including one co-sponsored by Al Franken (D-Minn.) and Amy Klochubar (D-Minn.) that would mean harsher criminal charges for data thieves and require businesses to adhere to data safeguards laid out by the Federal Trade Commission (FTC). 

In the meantime, experts like Ms. James and Talcove advise consumers to be extra vigilant. "Sign up for credit monitoring, cancel any cards that are suspect, and check statements every month for all cards," James says. "It will also be easier if you reduce the number of cards you have."

"File your tax return early, so fraudsters don't beat you to it," Talcove adds.

[CORRECTION: An earlier version of this article misstated the number of Neiman Marcus shoppers potentially affected by that retailer's data breach. That number was 350,000, not 40 million.]

You've read  of  free articles. Subscribe to continue.
Real news can be honest, hopeful, credible, constructive.
What is the Monitor difference? Tackling the tough headlines – with humanity. Listening to sources – with respect. Seeing the story that others are missing by reporting what so often gets overlooked: the values that connect us. That’s Monitor reporting – news that changes how you see the world.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to CSMonitor.com.

QR Code to Eric Holder urges new laws for data breaches after Target attack
Read this article in
https://www.csmonitor.com/Business/2014/0224/Eric-Holder-urges-new-laws-for-data-breaches-after-Target-attack
QR Code to Subscription page
Start your subscription today
https://www.csmonitor.com/subscribe