Congress Queries Banks on Breaches16 Financial Institutions Asked to Provide Security Details
Two Democratic members of Congress have sent letters to 16 financial institutions seeking information about any data breaches they've experienced and detailed briefings from corporate IT security officers as the House and Senate consider cybersecurity legislation.
Rep. Elijah E. Cummings, D-Md., ranking member of the House Committee on Oversight and Government Reform, and Senator Elizabeth Warren, D-Mass., on Nov. 18 sent the letters to banks, investment firms and other financial service providers, including Bank of America, Goldman Sachs, HSBC and Wells Fargo.
"The increasing number of cyber-attacks and data breaches is unprecedented and poses a clear and present danger to our nation's economic security," Cummings and Warren said when announcing the letters. "Each successive cyber-attack and data breach not only results in hefty costs and liabilities for businesses, but exposes consumers to identity theft and other fraud, as well as a host of other cybercrimes."
The letters cite recent reports from FBI officials who revealed that over the past 12 months, hackers have stolen more than 500 million financial records (see: Chase Breach: Did Russia Play a Role?).
In their letters, Cummings and Warren make reference to the JPMorgan Chase breach, which exposed certain personal information, including e-mail addresses, on about 76 million households and 7 million small businesses. Earlier, Cummings requested a hearing on the Chase breach.
Last week, Cummings sent a similar information request to Home Depot, Target, Kmart, Community Health Systems and the parent companies of USIS seeking detailed briefings from their chief IT officers about recent attacks against those companies.
In their letters to the financial institutions, Cummings and Warren state that the feedback they receive will be helpful as Congress examines federal cybersecurity laws and considers ways to protect sensitive consumer and government information.
Among the information being sought:
- A description of all data breaches the organization has experienced;
- The approximate number of customers that may have been affected and how they were notified of the breach;
- The findings from forensic investigative analyses or reports;
- The individuals or entities suspected or believed to have caused the data breaches;
- A description of data protection improvement measures the organization is taking;
- An estimate of the number and value of fraudulent transactions that were connected to the data breaches;
- A description of the data security policies and procedures involving vendors, third-party service providers and subcontractors; and
- Any recommendations for improvements in cybersecurity laws.
Analyzing Congressional Outreach
The congressional inquiries about the security policies of financial institutions are appropriate in light of growing security concerns, says Doug Johnson, senior vice president of risk management policy for the American Bankers Association. "It's Congress' job to look into these types of things and determine if legislative action is warranted," he says.
"What we're hopeful of is we might be able to get some forward movement toward a national data breach standard," Johnson says.
In recent years, there has been growing interest from President Obama and Congress in enacting a national data breach notification law, though no such bill has reached either the Senate or House floors in the current Congress (see: U.S. Data Breach Notification Law Unlikely in 2014).
Johnson also notes that, regardless of whether a payment card breach happens outside of a financial institution, "it's still the bank customer that's at the end of the line and so the bank owns the breach," he says. "We have every incentive to really work through with our customers any breach that happened external from a financial institution, [informing them of] the reissuing of cards, making them whole and all the things that we've done in the course of these breaches."
The financial industry has a "good story to tell, and will take the opportunity to tell it," Johnson says.