By Alexei Alexis
March 26 — Senate Commerce, Science & Transportation Committee Chairman Jay Rockefeller (D-W.Va.) March 26 released a report that asserted Target Corp. failed to take adequate steps to prevent a payment card hacking breach.
The report, prepared by Rockefeller's staff, also asserts that Target missed several opportunities to detect and stop the attack, including multiple automated warnings from the company's anti-intrusion software.
The report was released in advance of Rockefeller's committee hearing held the same day on protecting consumers from cyberattacks.
Meanwhile, Federal Trade Commission spokesman Peter Kaplan told Bloomberg BNA March 26 that the commission has opened an investigation into the Target breach, which affected some 40 million payment card users.
At the hearing, Target Executive Vice President and Chief Financial Officer John Mulligan testified that the retail giant is asking “hard questions” about whether the company could have taken different actions before the breach was discovered.
“We are still investigating how the intruders were able to move through the system using higher-level credentials to ultimately place malware on Target's point-of-sale registers,” Mulligan said in his prepared testimony.
“The malware appears to have been designed to capture payment card data from the magnetic strip of credit and debit cards prior to encryption within our system,” he said.
At the hearing, University of Maryland President Wallace D. Loh said that a February hacking breach at the school didn't result in the release of financial, academic, health or contact information but that the incident served as a wake-up call to improve data security.
“To be quite blunt, there were multiple warnings,” Sen. Richard Blumenthal (D-Ct.) said about the Target breach at the hearing.
Blumenthal formerly served as attorney general for Connecticut, where he became the first state attorney general to bring a lawsuit over a data breach that allegedly violated the Health Insurance Portability and Accountability Act.
Target might have missed the warnings “because of lack of training, perhaps simply a sense of confidence and complaisance. And that has created enormous cost,” he said.
Rockefeller has introduced legislation (S. 1976) that would authorize the FTC to write and enforce new rules requiring retailers and other companies to protect consumers' personal data and notify individuals in the event of a breach. Violators would face civil penalties.
“It's increasingly frustrating to me that organizations are resisting the need to invest in their security systems,” Rockefeller said at the hearing. “Target must be a clarion call to businesses, both large and small, that it's time to invest in some changes.”
Target might have missed the warnings “because of lack of training, perhaps simply a sense of confidence and complaisance. And that has created enormous cost.”
Sen. Richard Blumenthal (D-Ct.)
FTC Chairwoman Edith Ramirez told the committee that the commission needs the power to seek civil fines for data security violations.
“Never has the need for legislation been greater,” Ramirez said. “With reports of data breaches on the rise, Congress must act.”
The commission relies substantially on Section 5 of the FTC Act, which prohibits “unfair and deceptive” trade practices, to pursue data security cases. The commission's use of the unfairness prong in data security enforcement actions is being challenged in federal court.
“To help ensure effective deterrence, we urge Congress to allow the FTC to seek civil penalties for all data security and breach notice violations in appropriate circumstances,” she added.
Target faced $61 million in breach-related expenses in the fourth quarter of 2013, but it expected to receive $44 million in network security insurance payouts, the company said in its Form 10-K annual report filed with the Securities and Exchange Commission March 14, which covered its fiscal year that ended Feb. 1
In the report, Target said more than 80 claims related to the breach had been filed against it but that the company “cannot reasonably estimate a range of possible losses” from litigation and government investigations. “We do not believe that a loss from these matters is probable,” it said.
The retailer also anticipates further claims from “payment card networks” but plans to dispute those claims, saying its networks complied with “applicable data security standards.” Target would likely settle such claims, it said, but the company didn't estimate how much settlements would cost.
Target added that the FTC, the SEC and state attorneys general are investigating the breach, including how it occurred, its consequences and the company's responses.
“Those claims and investigations may have an adverse effect on how we operate our business and our results of operations,” the company said in the report.
With assistance from Robert Tricchinelli in Washington and Michael Riley of Bloomberg News in Washington.
To contact the reporter on this story: Alexei Alexis in Washington at firstname.lastname@example.org
To contact the editor responsible for this story: Donald G. Aplin at email@example.com
Full text of Rockefeller's staff report is available at http://op.bna.com/der.nsf/r?Open=sbay-9hktrf.
Further information on the March 26 hearing, “Protecting Personal Consumer Information from Cyber Attacks and Data Breaches,” including links to prepared testimony and an archived webcast of the hearing, is available at http://www.commerce.senate.gov/public/index.cfm?p=Hearings.
Target's 212-page Form 10-K filing is available at http://op.bna.com/pl.nsf/r?Open=dapn-9hltga.
To view additional stories from Privacy & Security Law Report® register for a free trial now