On Nov. 27, 2013, about 40 million debit and credit card numbers -- along with personal information on about 70 million people -- were stolen from retailer Target Corp.'s computer systems, making the data breach one of the largest ever. Target didn't discover the breach until December 2013, leaving sensitive customer data exposed for more than two weeks.
Despite the scope of the security failure, Target did not notify customers that their sensitive data may have been compromised until journalist Brian Krebs broke the news on his blog on Dec. 19. The incident ignited questions among lawmakers and regulators about Target and other retailers' security policies, data breach response plans and disclosure practices.
This FAQ is part of SearchCompliance's IT Compliance FAQ series.
What legislative initiatives were launched in the wake of Target's massive security breach?
Following the massive security failure at Target, a number of lawmakers and regulators redoubled efforts to strengthen data protection rules, including disclosure, notification and reporting requirements. The breach affected tens of millions of American consumers and intensified calls for a nationwide framework for safeguarding data.
On Capitol Hill, the breach spurred a new look at a number of legislative measures that had been previously tabled. Sen. Patrick Leahy (D-Vt.) reintroduced the Personal Data Privacy and Security Act, and called the Target data breach "a reminder that developing a comprehensive national strategy to protect data privacy and cybersecurity remains one of the most challenging and important issues facing our Nation."
More SearchCompliance FAQs
Investment Company Act reduces misled compliance officer liability
PCI DSS 3.0 updates compliance requirements
"Admission of guilt" now a factor in SEC settlements
Options limited for organizations opposed to federal surveillance information requests
The Act would require businesses to implement internal data protection and security policies, as well as create a national standard for breach notification. It would also establish criminal penalties for anyone who willfully or intentionally hides a breach that involves personal data if the breach caused damage to consumers.
Sens. Dianne Feinstein (D-Calif.), John Rockefeller (D-WV), Mark Pryor (D-Ark.), and Bill Nelson (D-Fla.) introduced the Data Security and Breach Notification Act, which has similar goals to previous bills. The Data Security and Breach Notification Act would require the Federal Trade Commission to release security standards for businesses that maintain personal and financial data on customers. It would also establish breach notification requirements and give companies incentives to deploy anti-hacking technologies.
Sen. Richard Blumenthal (D-Conn.) pledged to re-introduce the Personal Data Protection and Breach Accountability Act, which would require businesses to take steps to protect consumers from data breaches. If a company failed to protect personal or financial data, a consumer would be allowed to recover damages for any injuries caused by the failure.
What potential regulatory actions did the Target data breach prompt at the Federal Trade Commission?
Along with news of the massive security failure at Target came a renewed focus on the Federal Trade Commission's power to regulate data protection and punish those responsible for breaches. As soon as the breach was made public, Sen. Blumenthal (D-Conn.) asked the FTC to investigate the retailer's security practices.
The FTC "has the authority and the responsibility to investigate and address this kind of event, and I urge you to look into this case immediately," Blumenthal wrote to FTC Chairwoman Edith Ramirez. The senator called not only for greater data security requirements but also for immediate consumer notification. "Retailers must notify customers the moment they know about a data breach, not when it fits a business strategy," he said.
Sen. Robert Menendez, D-N.J., also weighed in on granting the FTC additional authority, in part to hold businesses accountable when sensitive data is compromised.
FTC requests Congress to develop stronger data breach protection laws
Official Senate Committee on judiciary hearing: Privacy in the Digital Age: Preventing Data Breaches and Combating Cybercrime
What potential regulatory actions did the Target data breach prompt at the Securities and Exchange Commission?
In the wake of the Target data breach, some lawmakers turned to the Securities and Exchange Commission for breach disclosure and reporting requirements. In October 2011, the SEC recommended that companies begin reporting any massive data breaches so that investors would have more complete information about cyber risks and incidents. As of Jan. 28, 2014, however, Target had not disclosed the breach in its SEC filings.
Sen. Rockefeller said he was puzzled why Target hadn't updated its SEC filings following the breach. "Your failure thus far to provide this information to your investors does not seem consistent with the spirit or the letter of the SEC's financial disclosure rules," Rockefeller wrote in a letter to the company.
The SEC is conducting a review of its disclosure rules, and Chairman Mary Jo White said she believes the agency should reconsider the type of information that must be disclosed, as well as where and how it is disclosed.
Committee on Commerce, Science and transportation questions Target's breach reporting
SEC Chair Mary Jo White discusses disclosure reform during keynote address
Are data protection initiatives in Washington, DC, focused more on ensuring improved security policies and practices among businesses or on hunting down and punishing those responsible for breaches?
There is considerable enthusiasm throughout Congress for a data protection and cybersecurity measure in 2014, but the approaches to addressing the matter differ largely along party lines.
Democratic leaders on Capitol Hill were quick to call for investigations into how the Target data breach happened and put the spotlight on whether retailers are doing enough to safeguard consumer information. In the House of Representatives, Rep. Henry Waxman (D-Calif.), called for a hearing of the House Energy and Commerce Committee and asked Target to provide information on its network security and threat monitoring policies, as well as its breach notification efforts.
In the Senate, Democratic Sens. Menendez, Mark Warner (D-Va.) and Charles Schumer (D-NY) called for a Banking Committee hearing to explore whether retailers and financial service providers are doing enough to protect consumer data. "We believe it would be valuable for the Committee to examine whether market participants are taking all appropriate actions to safeguard consumer data and protect against fraud, identity theft and other harmful consequences and whether we need stronger industry-wide cybersecurity standards," they noted.
Republican lawmakers overall have been less vocal in responding to the Target data breach, with some positioning the retailer as a victim and focusing on what consumers can do to protect themselves. Upon announcing a hearing of the House Subcommittee on Commerce, Manufacturing, and Trade, Chairman Lee Terry, R-Neb., noted that Target and other retailers have recently "come under attack" and that the businesses themselves have "suffered criminal hacks."
Committee on Energy and Commerce requests data breach details from Target Corp.
Subcommittee examines recent consumer data breaches, discusses protection efforts