Senators Probe Home Depot, Apple BreachesBriefing on Details Could Build Support for Legislation
In hopes of getting stalled national data breach notification legislation moving in Congress, two influential senators say they want Home Depot and Apple Inc. to brief lawmakers on the circumstances behind their recent data breaches that permitted unauthorized access to sensitive customer information.
Sen. Jay Rockefeller, D-W.Va., and Sen. Claire McCaskill, D-Mo., jointly wrote letters to the CEOs of Home Depot and Apple, asking them to explain the details of their breaches.
"We have been advocates for data security and breach notification legislation that would better protect consumers and improve corporate responsibility," the senators said in a statement. "The recent data security incidents that have affected major corporations, including Home Depot, demonstrate the need for such federal legislation."
Rockefeller chairs the Senate Commerce, Science and Transportation Committee and McCaskill chairs the panel's Subcommittee on Consumer Protection, Product Safety and Insurance.
Earlier this week, two other senators, Richard Blumenthal, D-Conn., and Edward Markey, D-Mass., requested the Federal Trade Commission investigate the Home Depot breach, which potentially impacted customers using payment cards at its U.S. and Canadian stores since April (see: Home Depot Confirms Data Breach).
"We are concerned that the retailer's procedures for detecting and stopping operations to steal customer data are inadequate, and we call on the commission to investigate whether Home Depot's security procedures meet a reasonable standard," Blumenthal and Markey said in a statement.
In their letter to Home Depot, Rockefeller and McCaskill ask the home improvement retailer to provide a briefing on the investigation and latest findings on the circumstances that may have permitted unauthorized access to sensitive customer information.
"It has been a week since Home Depot announced its investigation into this now-confirmed breach, and we expect that your security experts have had time to examine the cause and impact of the attack and breach and will be able to provide the [U.S. Senate Committee on Commerce, Science and Transportation] with detailed information," the letter says.
The senators ask Apple to provide a briefing on its investigation into the unauthorized access to iCloud data, which resulted in photos of high-profile celebrities being released (see: Is Apple iCloud Safe?).
"We understand that the focused nature of the attack on specific iCloud accounts is very different from the massive data breaches that affected other companies, but nonetheless indicate potential vulnerabilities in your cloud security protocols that were exploited by hackers," the letter from the senators reads.
Meanwhile, senators Blumenthal and Markey have asked FTC Chairwoman Edith Ramirez to open an investigation into the Home Depot breach to determine whether the retailer failed to employ reasonable and appropriate security measures to protect sensitive personal information.
"Furthermore, it is troubling that Home Depot has not yet been able to confirm that it has successfully shut down the data breach," Blumenthal and Markey state in their letter to the FTC. "This means that its customers may continue to be at risk of having their personal information stolen."
Under Section 5 of the FTC Act, the commission has jurisdiction to investigate companies' privacy and information security policies, procedures and practices.
While the Home Depot and Apple incidents draw the interest of senators seeking more information, they may not be enough of a catalyst to get cybersecurity legislation passed this year (see: Expectations Low for Cyber Legislation).
Cybersecurity is seen as a growing concern among lawmakers, but it pales when compared with other issues Congress must confront in the next few weeks, including funding the government for fiscal year 2015, which begins Oct. 1. Without enacting a so-called continuing resolution, the federal government would shut down. Other issues are grabbing senators and representatives attentions, too, such as the increasing threat posed by the Islamic State terrorist group in Iraq and Syria and the Russian-Ukraine conflict.
Rockefeller earlier this year introduced the Data Security and Breach Notification Act, which would provide a federal standard for companies to safeguard consumers' personal information throughout their system and to quickly notify consumers if those systems are breached.
In February, Blumenthal and Markey introduced the Personal Data Protection and Breach Accountability Act, which would help protect consumers' personal and financial information from hackers through a multi-pronged approach that combats the risks associated with data breaches by holding those who fail to deter preventable data breaches accountable.