(Hartford, CT) – At a hearing today of the Senate Committee on Commerce, Science, and Transportation, U.S. Senator Richard Blumenthal (D-Conn.) discussed the Anthem cyberattack that has exposed the personal information of approximately 80 million customers and employees.
“This latest cyberattack is not only breathtaking in its scope and scale, it is potentially heartbreaking and life changing for the tens of millions of consumers and employees affected. Sadly, Anthem is only the latest case in a string of hacks and cyberattacks that have cost consumers tens of billions of dollars. These attacks are real and they hurt real people, and companies and universities collecting sensitive consumer data have an obligation to do more to protect that information,” Blumenthal said.
The hearing of the Consumer Protection, Product Safety, Insurance, & Data Security Subcommittee, scheduled prior to the announcement of the Anthem data breach, was entitled “Getting it Right on Data Breach and Notification Legislation in the 114th Congress.”
Blumenthal’s opening statement as prepared for delivery follow.
Thank you, Mr. Chairman, and thank you for holding this hearing. I’d like to start by expressing my optimism and enthusiasm at the opportunity to work with you, Chairman Thune, and Ranking Member Nelson on consumer protection issues.
Having already served on this subcommittee, I know that consumer protection is a bipartisan issue. None of us want our constituents to be injured by defective products, taken advantage of by schemers and scammers, or exposed to concealed and unjustified health risks. I am very optimistic that during this Congress, we can build on the bipartisan progress we made previously on issues including the General Motors recall, deadly Takata airbags, and more.
The issue we’re here today to discuss is particularly timely. 2014 is known to some as the “Year of the Data Breach.” But, as we learned in the news late yesterday, cyber-thieves are not losing any steam.
Anthem, one of the nation’s largest health insurers, announced overnight that the personal information of about 80 million of its customers and employees was subject to a sophisticated external cyberattack. Information breached included names, Social Security numbers, birthdays, addresses, email and employment information, including income data.
As Leo Taddeo, the F.B.I. agent in New York who oversees the cyber and special operations division, said recently “We are losing ground” in the battle with hackers.
Sadly, Anthem is only the latest example. Consumers have been facing – and paying for – data breaches for years.
In December 2013, we first learned about Target’s data breach, which affected credit card information and personal contact information for as many as 110 million consumers.
Since then, it seemed as if every week a new announcement was made that consumer information had been stolen – Neiman Marcus, Home Depot, Michaels Stores, White Lodging, the University of Maryland and SnapChat.
All of these recent incidents remind us that cyber-attacks are real and they hurt real people.
In the most recent survey by the Bureau of Justice Statistics (2012), they found that direct and indirect financial losses from identity theft totaled $24.7 billion. By contrast, the financial loss from all property crimes was just $14 billion.
Alarmingly, the Online Trust Alliance just released a report where it determined over 90% of the data breaches in the first half of 2014 could have been prevented if those companies were following better security protocols.
That means billions of dollars could have been saved by consumers, creditors, banks and others if companies and Universities collecting sensitive consumer data spent money and resources on better protecting that information.
As an Attorney General I brought several enforcement cases against companies that violated Connecticut’s data breach law, and I worked with my colleagues – including Attorney General Madigan and Senator Ayotte – to encourage our state governments to strengthen consumer safeguards in this area.
At the federal level, we need to create stronger protections for sensitive consumer financial data, but we also must respect the states as laboratories of democracy and recognize the enormous work they’ve done in this area.
Our first mission must be to do no harm. Any federal legislation that undermines existing state protections hurts our goal.
I also believe any federal bill should empower the Federal Trade Commission with the authority it needs to hold businesses accountable for data breaches.
The FTC has brought numerous enforcement actions over the years against companies for lax data-security practices. But this piecemeal, after-the-fact approach would be better served if the Commission were able to prescribe rules requiring reasonable security practices in the first place.
In order for consumers to trust retailers, banks, and online sales, they need to know that their data is secure and isn’t being abused. Whether shopping online or at brick-and-mortar stores, consumers expect that retailers collecting their sensitive personal information will do everything in their power to protect that data. That shouldn’t be an unreasonable expectation.