Citi Breach Helps Push for Federal Data Security Rules

Article excerpt

Byline: Kate Davidson

WASHINGTON - The Obama administration's push to create a national standard for when and how banks and other companies must notify customers of a data breach appears to be gaining momentum.

Financial services representatives told a Senate panel on Tuesday that they would support the White House's proposal, which would, among other things, combine a patchwork of 47 state laws on the issue into a federal standard.

Senate Banking Committee Chairman Tim Johnson also appeared supportive of strengthening cybersecurity laws, saying recent high-profile data breaches within the financial services sector and elsewhere underscore the importance of the issue.

"Breaches are disruptive and raise the potential for financial fraud, identity theft and, potentially, severe threats to our national economic security," Johnson said.

Citigroup Inc. was the most recent high-profile data breach, after it disclosed that a hacker had accessed customer information for more than 360,000 credit card accounts last month.

Lawmakers have criticized Citi for waiting nearly a month to disclose the breach. Citi said it discovered the breach on May 10 during routine maintenance, but didn't begin notifying customers until June 3.

Sen. Robert Menendez, D-N.J., said there have been 288 publicly disclosed breaches at financial services companies in the past six years that exposed at least 83 million customer records.

"I'm concerned about what are the financial institutions doing, No. 1, to enhance their position against cybersecurity attacks, and No. 2, when there is a breach, what are they doing in their fiduciary responsibility to notify their customers of those breaches," said Menendez, who introduced his own cybersecurity bill earlier this month.

He pressed witnesses to say whether Citi should have come forward sooner.

Leigh Williams, the president of BITS, the technology policy division of the Financial Services Roundtable, said banks have a responsibility to notify customers of breaches as quickly as possible.

"I think that as soon as an institution understands what has occurred, they have an obligation to notify their regulators under regulatory rules," Williams said. "And they have a fiduciary and a business responsibility to notify customers if there is any way that the customer can begin to take action to protect themselves."

Williams said the industry has invested tens of billions of dollars in cybersecurity and is continually improving its ability to repel cyberattacks. …