Cybercrime: How quickly should retailers notify customers of a data breach?

Attorney General Eric Holder wants Congress to hold retailers to a standard to promptly disclose a significant data breach to consumers and to law enforcement.

US Attorney General Eric Holder is calling on Congress to enact a national standard for notifying consumers when their personal or financial data have been compromised.

Late last year, a cyberattack compromised the payment information of some 40 million customers and the personal information of as many as 70 million shoppers at the discount retailer Target. Since then, high-end retailer Nieman Marcus and arts and crafts store Michaels have both raised the alarm that their systems may have been breached, as well.

“As we have seen, especially in recent years, these crimes are becoming all too common,” Mr. Holder said during his weekly video address Monday. “Although the Justice Department officials are working closely with the FBI and prosecutors across the country to bring cybercriminals to justice, it is time for leaders in Washington to provide the tools that we need to do even more by requiring businesses to notify consumers and law enforcement in the wake of significant data breaches.”

While federal laws require banks and hospitals to inform their customers and patients immediately in the wake of a cyberattack, there is no federal standard requiring retailers to immediately notify customers that an unauthorized party may have accessed their information.

Consumer advocates have criticized Target for not alerting customers of the breach soon enough. A Target executive told Reuters that the company disclosed the incident four days after internally confirming the break-in, but did not say when it first learned of the problem.

“It’s a judgment call,” Joseph DeMarco, former head of cyber crime at the US Attorney’s Manhattan office, told Reuters. “A breach investigation could take weeks or months before you know enough to have a legal obligation to disclose.”

In the absence of a federal mandate, 46 states and the District of Columbia have enacted their own legislation outlining how and when companies need to send out an alert to customers. Some state attorneys general have expressed concerns that federal legislation could impede their ability to crack down on violators.

However, Holder may find some surprising allies among retailers.

The National Retail Federation has long supported implementation of federal guidelines for notification in the event of a cyberattack.

“A preemptive federal breach notification law would allow retailers to focus their resources on complying with one single law and enable consumers to know their rights regardless of where they live,” the retailer association said, in a January letter to Congress.

Consumer advocates worry that the retail industry's drive for federal regulation will help to usher in weaker laws that trump those that states have already implemented.

“None of the federal proposals [as of Feb. 11] are as strong as the strongest state laws, and that’s wrong,” said Edmund Mierzwinski, consumer program director of the US Public Interest Research Group. “I don’t think we need [a federal law] that’s weaker than California’s.”

In the eyes of the Obama administration, all cyberattacks are nationally significant. The president has called the cyberattacks “one of the gravest national security dangers that the United States faces.”

During a White House event earlier this month, the Department of Homeland Security launched a voluntary program to help a wide range of businesses assess their vulnerability to cyberattacks.

“It boils down to this – in cyber security, the more systems we secure, the more secure we all are,” said DHS Secretary Jeh Johnson. “We are all connected online and a vulnerability in one place can cause a problem in many other places.”

The threat of cyberattacks has loomed large ever since the online marketplace became a reality in the 1990s. Since then, much of the nation’s infrastructure, including water supply controls and the electrical grid, have moved online. Security experts have long warned that concerted cyberattacks could transcend the level of time-consuming nuisance into a major security threat that could compromise the nation’s infrastructure.

So far, at least, it seems that cyberattacks have been isolated schemes, according to a National Cyber Investigative Joint Task Force report, released earlier this month.

“Bringing all of the government’s knowledge together today, the report demonstrates there is no evidence of a coordinated effort – whether by criminal groups or nation states – to harm the US economy,” said Steve Chabinsky, a cyber security expert and former cyber attorney for the FBI. “Plain and simple, whoever did this just wants to make a whole lot of money.”

Material from Reuters and the Associated Press was used in this report.