Rockefeller: We Need a Strong Federal Standard to Protect Consumer Data

March 26, 2014

JDR Head ShotWASHINGTON, D.C.-- Chairman John D. (Jay) Rockefeller IV today gave an opening statement at the U.S. Senate Committee on Commerce, Science, and Transportation hearing titled, "Protecting Personal Consumer Information from Cyber Attacks and Data Breaches." Below are his prepared remarks:

We now live in the era of “Big Data”. Whether we like it or not, companies are regularly collecting reams of information about us as we go about our daily lives. They are tracking us as we visit Web sites, as we are walking around stores, and as we purchasing products. While some of the information may be mundane, some of it can be highly sensitive, including very specific details about our finances and our health status.

I think we can all agree that if Target – or any other company – is going to collect detailed information about its customers, they need to do everything possible to protect it from identity thieves. It is now well known that Target fell far short of doing this.  Last November and December, cyber thieves were able to infect their credit card payment terminals with malicious software, loot their computer servers, and access a staggering amount of consumer information, which they could pick and choose from, and sell for a profit. 

There has been a lot anxiety lately about what kind of information the federal government may be collecting about American citizens, as part of the efforts to protect our country from the ongoing terrorist threat. But the truth is that private companies like Target hold vastly larger amounts of sensitive information about us than the government does. And they spend much less time and money protecting their sensitive data than the government does. We learned yesterday that Federal agents notified more than 3,000 companies last year that their computer systems had been hacked. I am certain there are many more breaches we never hear about.

Target is going to tell us today that they take data security very seriously, and that they followed their industry’s data security standards – but the fact remains, it wasn’t enough. The credit card numbers of 40 million people, and the email addresses of nearly 70 million people, were potentially stolen under their watch. My staff has carefully analyzed what we know at this point about the Target breach. In a new report, they identify many precise opportunities Target had to prevent this cyberattack.  I ask unanimous consent to insert this staff report in the record of this hearing.

It is increasingly frustrating to me that organizations are resisting the need to invest in their security systems. Target must be a clarion call to businesses, both large and small, that it’s time to invest in some changes.

While I am disappointed that many companies have failed to take responsibility for their data security weaknesses, I am just as disappointed by Congress’s failure to create federal standards for protecting consumer information. Recently, I put forth legislation that builds on the long, well-established history of the Federal Trade Commission and state attorneys general in protecting consumers from data breaches. The bill would set forth strong, federal consumer data security and breach notification standards by: 

  • Directing the FTC to circulate rules requiring companies to adopt reasonable, but strong, security protocols.
  • Requiring companies to notify affected consumers in the wake of a breach.
  • Authorizing both the FTC and state attorneys general to seek civil penalties for violations of the law.

For nearly a decade, we’ve had major data breaches at companies both large and small. Millions of consumers have suffered the consequences. While Congress deserves its share of the blame for inaction, I am increasingly frustrated by industry’s disingenuous attempts at negotiations.

This is my message to industry today. It’s time to come to the table. Be willing to compromise. While I’m willing to hear their concerns about my legislation – or any other legislation – I’m not willing to forfeit the basic protections American consumers have a right to count on. 

Finally, I would be remiss if I did not publicly note that representatives from the company Snapchat declined my invitation to testify today. When people refuse to testify in front of this Committee, instinct tells me they are hiding something. In this instance, on this subject, I think it warrants closer scrutiny.