Cybercrime: How quickly should retailers notify customers of a data breach?

Attorney General Eric Holder wants Congress to hold retailers to a standard to promptly disclose a significant data breach to consumers and to law enforcement.

J. Scott Applewhite/AP Photo
Attorney General Eric Holder testifies on Capitol Hill in Washington last month. Mr. Holder on Feb. 24 urged Congress to advance federal legislation requiring retailers to inform consumers and law enforcement sooner when their personal data are stolen by cybercriminals.

US Attorney General Eric Holder is calling on Congress to enact a national standard for notifying consumers when their personal or financial data have been compromised.

Late last year, a cyberattack compromised the payment information of some 40 million customers and the personal information of as many as 70 million shoppers at the discount retailer Target. Since then, high-end retailer Nieman Marcus and arts and crafts store Michaels have both raised the alarm that their systems may have been breached, as well.

“As we have seen, especially in recent years, these crimes are becoming all too common,” Mr. Holder said during his weekly video address Monday. “Although the Justice Department officials are working closely with the FBI and prosecutors across the country to bring cybercriminals to justice, it is time for leaders in Washington to provide the tools that we need to do even more by requiring businesses to notify consumers and law enforcement in the wake of significant data breaches.”

While federal laws require banks and hospitals to inform their customers and patients immediately in the wake of a cyberattack, there is no federal standard requiring retailers to immediately notify customers that an unauthorized party may have accessed their information.

Consumer advocates have criticized Target for not alerting customers of the breach soon enough. A Target executive told Reuters that the company disclosed the incident four days after internally confirming the break-in, but did not say when it first learned of the problem.

“It’s a judgment call,” Joseph DeMarco, former head of cyber crime at the US Attorney’s Manhattan office, told Reuters. “A breach investigation could take weeks or months before you know enough to have a legal obligation to disclose.”

In the absence of a federal mandate, 46 states and the District of Columbia have enacted their own legislation outlining how and when companies need to send out an alert to customers. Some state attorneys general have expressed concerns that federal legislation could impede their ability to crack down on violators.

However, Holder may find some surprising allies among retailers.

The National Retail Federation has long supported implementation of federal guidelines for notification in the event of a cyberattack.

“A preemptive federal breach notification law would allow retailers to focus their resources on complying with one single law and enable consumers to know their rights regardless of where they live,” the retailer association said, in a January letter to Congress.

Consumer advocates worry that the retail industry's drive for federal regulation will help to usher in weaker laws that trump those that states have already implemented.

“None of the federal proposals [as of Feb. 11] are as strong as the strongest state laws, and that’s wrong,” said Edmund Mierzwinski, consumer program director of the US Public Interest Research Group. “I don’t think we need [a federal law] that’s weaker than California’s.”

In the eyes of the Obama administration, all cyberattacks are nationally significant. The president has called the cyberattacks “one of the gravest national security dangers that the United States faces.”

During a White House event earlier this month, the Department of Homeland Security launched a voluntary program to help a wide range of businesses assess their vulnerability to cyberattacks.

“It boils down to this – in cyber security, the more systems we secure, the more secure we all are,” said DHS Secretary Jeh Johnson. “We are all connected online and a vulnerability in one place can cause a problem in many other places.”

The threat of cyberattacks has loomed large ever since the online marketplace became a reality in the 1990s. Since then, much of the nation’s infrastructure, including water supply controls and the electrical grid, have moved online. Security experts have long warned that concerted cyberattacks could transcend the level of time-consuming nuisance into a major security threat that could compromise the nation’s infrastructure.

So far, at least, it seems that cyberattacks have been isolated schemes, according to a National Cyber Investigative Joint Task Force report, released earlier this month.

“Bringing all of the government’s knowledge together today, the report demonstrates there is no evidence of a coordinated effort – whether by criminal groups or nation states – to harm the US economy,” said Steve Chabinsky, a cyber security expert and former cyber attorney for the FBI. “Plain and simple, whoever did this just wants to make a whole lot of money.”

Material from Reuters and the Associated Press was used in this report.

You've read  of  free articles. Subscribe to continue.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to