Target, one of the nation's largest retailers, suffered a major security breach over the holiday shopping season that affected millions of its in-store customers. In fact, it's estimated that 40 million dedit and card card accounts were stolen. It's already a given that Target will be paying for this breach of trust for years to come, but will it lead to even stricter scrutiny and government regulation?
Well, it certainly seems that way if some members of Congress are to be believed. In the week since it was revealed that Target was hacked, lawmakers have been calling for action. For some, that action will simply be an investigation into the hack itself. For others, they're playing around with the idea of giving the FTC additional powers to punish companies.
Do you think the FTC needs more power? Does the Target hack make new powers necessary? Let us know in the comments.
One senator in particular - Sen. Richard Blumenthal - has called upon the FTC to act in a recent open letter sent to FTC Chairwoman Edith Ramirez:
I write to urge you to immediately open an investigation into Target Corporation’s recent reported data security breach, which may have exposed the credit and debit card information of 40 million Target customers this holiday season. If Target failed to adequately and appropriately protect its customers’ data, then the breach we saw this week was not just a breach of security; it was a breach of trust. The Federal Trade Commission (the FTC or the Commission) has the authority and the responsibility to investigate and address this kind of event, and I urge you to look into this case immediately.
Next, Blumenthal says that the FTC Act gives the agency the authority to investigate Target's security policies. He encourages the agency to use this power to immediately look into how Target secured its data and if the retailer could have done more to secure its customers' data:
As you know, section 5 of the Federal Trade Commission Act (15 U.S.C. § 45) gives the FTC jurisdiction to investigate companies’ privacy and information security policies, procedures, and practices. Given the scope and duration of Target’s recent data breach, it appears that Target may have failed to employ reasonable and appropriate security measures to protect personal information. A breach of this size indicates that somebody gained extensive and unfettered access to customer information held by Target. The fact that the intrusion lasted for more than two weeks indicates that Target’s procedures for detecting and shutting down an effort to steal customer data does not live up to a reasonable standard. If Target failed to adequately protect customer information, it denied customers the protection that they rightly expect when a business collects their personal information. Its conduct would be unfair and deceptive, and it would clearly violate the FTC Act.
Now, here is where things get interesting. Later in the letter, Blumenthal says the FTC needs more power to prevent something like this from happening again. How? He suggests that the agency be given the power to impose sanctions on Target and other retailers that don't do enough to protect their data.
While it is clear that the FTC has the authority to investigate breaches like the one that occurred at Target stores, it is equally clear that the Commission needs additional authority to impose sanctions sufficient to fully punish and deter the conduct that leads to such breaches. The breach at Target highlights how vast and damaging data breaches can be. The FTC should be able to respond to breaches like this with penalties commensurate to the potential harm. I look forward to working with my colleagues in the Congress and with the Commission to ensure that the Commission has all the sanction authority it needs to carry out its mission effectively.
At this point, lawmakers are on the warpath. It's pretty obvious that Blumenthal wants to make an example out of Target and the retailer should be held responsible for what happened. What needs to be considered, however, is the idea that Target may not have been fully prepared for whatever techniques and tools the hackers used to obtain the the credit and debit card data of 40 million Americans.
Should Target have been prepared for every possible privacy breach and attack? In a perfect world, yes. Unfortunately, we live in a world where the tools used by hackers and data thieves are often outpacing the advances in security. It doesn't help that our government only imposes optional security guidelines for companies to follow and some may not follow all the guidelines in order to save a few bucks.
What we're looking at here then is a government that's trying to fix a problem that has two solutions. One is the solution given to us by Sen. Blumenthal in which he calls for the FTC to be given more power to prosecute those who don't adequately protect consumer information. The second solution would be to improve our cybersecurity standards and force companies to adopt the strictest measures to protect consumer data. Unfortunately, the only bill that would do that is the ill-fated CISPA and it contains too many privacy problems of its own to make it a worthy candidate.
Consumer privacy is becoming all too important in today's world of electronic transactions. While Target may not have been the first company to be hit by hackers, it's one of the largest thefts of consumer data to ever occur. Over the next few months, the retailer will have a lot of explaining to do. The government will be overseeing that explanation and will dole out what it feels is a proper punishment. We can only hope the punishment doesn't get in the way of real cybersecurity reform that would prevent an attack of this scale from ever happening again.
Should the FTC be given more power to punish privacy breaches? Or should lawmakers focus on updating our cybersecurity standards? Let us know in the comments.
Image via Wikimedia Commons