Attorney General Eric Holder called on Congress Monday to create “a strong national standard” to quickly alert consumers when their information is compromised in a data breach such as the ones perpetrated at Target and Neiman Marcus last year.
The data breach at Target exposed payment card data for up to 40 million people and personal data, including name, mailing address, phone number or emails address, for up to 70 million customers.
Shortly after the Target breach was made public, Neiman Marcus also reported a suspected cyberattack. Account information from transactions in 77 of their 85 stores, between July and October 2013, was potentially exposed to the malware.
In his weekly video address, Holder said new rules requiring notification would empower Americans to protect themselves if they are at risk of identify theft.
“It would enable law enforcement to better investigate these crimes – and hold compromised entities accountable when they fail to keep sensitive information safe,” he said.
At a hearing before the Senate Judiciary Committee earlier this month Target’s Executive Vice President and Chief Financial Officer John Mulligan testified that an intruder stole a vendor’s credentials to access to Target’s computer system and placed malware on points of sale registers. The malware was able to capture payment card data from magnetic strips on credit and debit cards prior to encryption.
Neiman Marcus Senior Vice President and Chief Information Officer Michael R. Kingston also testified at that hearing and Sen. Dianne Feinstein, D-Calif., pressed both retail executives on how they notified customers of the breach. She noted that she shops at Neiman Marcus, but was never notified of the breach.
“I would have shopped during that time. When would I have gotten a notification?” she asked.
Target said the company notified those affected through “multiple forms of communication, including a mass-scale public announcement, email, prominent notices on our website, and social media channels."
But, Feinstein was not satisfied by these methods of notification. “I believe if someone uses their credit at your institution and their data is breached – they should be notified. Public notification is vague – you really don’t know,” she said.
According to the National Conference of State Legislatures, forty-six states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands have enacted legislation requiring private or government entities to notify individuals of security breaches of information involving personally identifiable information, but the laws vary widely from state to state.
In his address, Holder also assured businesses that lawmakers would provide reasonable exemptions for harmless breaches to avoid placing “unnecessary burdens” on businesses that do act responsibly.
Holder says legislation would strengthen the Justice Department’s ability to combat crime and ensure individual privacy and help law enforcement bring cybercriminals to justice.
“My colleagues and I are eager to work with Members of Congress to refine and pass this important proposal,” he said. “And we will never stop working to protect the American people – using every tool and resource we can bring to bear.”
In 2013, it is estimated the global cost of consumer cybercrime was $113 billion with 378 million victims per year.
Paula Reid is a licensed attorney and covers the Justice Department for CBS News.