Current regulations aren't enough to warn customers and protect them against data breaches at financial institutions, one U.S. senator said during a hearing Tuesday.
Senator Robert Menendez, a New Jersey Democrat, questioned why Citigroup took about a month to report a breach affecting more than 360,000 credit card accounts in North America. Citigroup, which confirmed the breach in early June, never notified Menendez's chief of staff that his account was compromised, Menendez said.
The staffer attempted to use his credit card and was declined, then called Citigroup to discover his account was hacked, Menendez said. "It seems to me there is a fiduciary responsibility by the [financial] entity to proactively tell their customer that has happened," he said during a Senate Banking, Housing and Urban Affairs Committee hearing.
Citigroup did not testify at the hearing, and a company representative did not immediately return a phone message seeking comment on Menendez's criticism. But Leigh Williams, president of the BITS division of The Financial Services Roundtable, said he has "no doubt" that banks and other financial services companies have a responsibility to notify customers of breaches.
"Do you think a month to notify customers is an appropriate time frame?" Menendez asked.
"I think that as soon as an institution understands what has occurred, they have an obligation to notify their regulators, under regulatory rules, and they have a fiduciary and a business responsibility to notify customers if there's any way those customers can begin to take action to protect themselves," Williams said.
The banking industry is "constantly" improving its cybersecurity efforts, Williams said.
In the past six years, U.S. financial services companies have reported 288 data breaches, with 83 million records compromised, Menendez said. He questioned whether banks were doing enough to protect their customer accounts.
Menendez called for a national law requiring breached businesses to notify affected customers. More than 45 states have breach notification laws, making it difficult for businesses to comply with all of them, said Stuart Pratt, president and CEO of the Consumer Data Industry Association, a trade group representing data brokers.
Menendez also called on the Senate to pass his Cybersecurity Enhancement Act, which would allocate new money for cybersecurity research and scholarships.
But Marc Rotenberg, president of the Electronic Privacy Information Center (EPIC), warned lawmakers to avoid preempting strong state laws with a weak federal data-breach notification law. Rotenberg questioned Williams' assurances that financial institutions are serious about cybersecurity.
"The experience of consumers today is actually very different," Rotenberg said. "It may be the case that financial institutions are spending a lot of money to safeguard this data, but what consumers are seeing is more and more breaches. We have a problem, and this problem is getting worse."
Existing regulations may not help small banks better protect data, because of limited resources, added Kevin Streff, director of the National Center for Protection of Financial Infrastructure at Dakota State University in Madison, South Dakota.
Small banks and small businesses are the "soft underbelly of underprotected targets," he said. About 70 percent of small and medium-sized businesses lack basic cybersecurity controls, Streff added.
Small banks can't afford to pay "six-figure salaries" to IT security professionals and often add cybersecurity responsibilities to a staff member's duties, Streff said. The U.S. government can help by providing funding for training for cybersecurity professionals, he said.
Grant Gross covers technology and telecom policy in the U.S. government for The IDG News Service. Follow Grant on Twitter at GrantGross. Grant's e-mail address is firstname.lastname@example.org.