Senate cyber-security hearing: Today's laws are 'not adequate'

Witnesses from the financial industry testified before the U.S. Senate today that President Barack Obama's proposed cyber-security enhancements are a good step forward, but that additional measures need to be taken to protect consumers against financial data breaches.

The hearing before the Senate Committee on Banking, Housing, and Urban Affairs addressed the proposed Cyber Security Enhancement Act of 2011, which calls for national standards for cyber security.

The witnesses said the government's proposal is an important and necessary step in addressing the recent data breaches that have plagued companies such as Citigroup, Sony, and Bank of America.

"My view is that the laws currently in place don't provide adequate protection to paying customers," said Marc Rotenberg (pictured), president of the Electronic Privacy Information Center. He cited the fact that Federal Trade Commission research shows that consumers' top concern over the last decade has been identity theft. "We have a problem. And that problem is getting worse."

One major point the witnesses addressed was the issue of the proposed legislation overlapping with current state guidelines. The witnesses said banks shouldn't have to worry about addressing both federal and state guidelines, and that federal standards shouldn't make cyber protection weaker in some states.

"I think it's very important to look at the residual effect when a low national standard removes higher state safeguards," said Rotenberg.

Rotenberg said one way financial institutions could limit the number of data breaches is by simply limiting the amount of data they collect from their customers.

Leigh Williams, president of BITS, a division of the financial services round-table, said banks are spending tens of billions of dollars each year to increase cyber protection. "I can't tell you that there will never be another breach at a financial institution," Williams said. "But I can tell you that we are constantly improving our security measures."

Williams said the proposal is an important step, but that Congress should allow exceptions to national standards in instances where similar standards are already in place.

Pablo Martinez, a special agent in charge of the Secret Service's Criminal Investigations Division, said cyber security has risen over the last decade because more people have access to the Internet and advanced technology. He specifically agreed with the proposal that financial institutions should notify customers of a data breach within one month of its occurrence.

Dr. Kevin Streff, director of the Center for Information Assurance at Dakota State University, said making a national standard for notifying customers of data breaches would be a significant step in the right direction.

"I would think that the customers today are confused about when they're notified, and how they're notified, with the lack of a comprehensive approach," he said.

Streff said cyber security education for small businesses will be crucial in the future. He said more than 300 million finance-related data records have been breached in the U.S. since 2005, largely because 70 percent of small- and medium-size businesses do not have adequate cyber protections.

One point of contention was about how much jurisdiction the government should have over companies that have data centers overseas. Under current guidelines, companies are liable for any data breaches that occur within their subsidiaries; both Williams and Martinez agreed that companies should continue to be held liable going forward.

RELATED:

Five things companies must do to protect customer data
Five things to do when a company leaks your personal info

—Evan MacDonald