After Citigroup’s Data Breach, Menendez Calls for Investigation and Support of Cybersecurity Legislation

Washington - With recent news of Citigroup's data breach last week, U.S. Senator Robert Menendez (D-NJ) today called for an investigation. In a letter to the acting head of the Office of the Comptroller of the Currency (OCC), Menendez emphasized the importance of investigating the matter given the implications it has for the security of the financial industry in general, as well as the company's failure to notify customers immediately of the security breach.

Menendez, author of The Cybersecurity Enhancement Act of 2011 and member of the Senate Banking Committee, also called for support of his legislation, which would increase research and development efforts to prevent and address these types of scenarios. Click here for background on the legislation: http://menendez.senate.gov/newsroom/press/release/?id=9b179443-8674-4bdf-b7fe-f4685b089042

"As Citigroup's primary regulator with jurisdiction for data security issues, I hope that you also believe this to be unacceptable for consumers," the senator wrote in the letter. "Reportedly, customer and account information, including card numbers and email addresses, were viewed during this breach.[2] Obviously, the implications of this, combined with the lengthy delay, are troubling. As you know, over the last six years, there have been 288 publicly disclosed breaches at financial services companies that exposed at least 83 million customer records.[3] And just this weekend, the International Monetary Fund was hit by cyber hackers. This problem is widespread and must be properly addressed by all parties."

PDF OF THE LETTER: http://menendez.senate.gov/download/?id=b7373c7c-6b55-49de-9e1a-45e450240543

FULL TEXT OF THE LETTER:

Dear Mr. Walsh:

I write today to express my concern with respect to recent disclosures that the network of Citigroup Inc. had been breached and the financial and personal information of more than 200,000 bank card holders had been unlawfully accessed and viewed. Recent press reports have said that Citigroup waited as long as three weeks before notifying customers of this breach.[1]

If true, this delay is simply unacceptable. As Citigroup's primary regulator with jurisdiction for data security issues, I hope that you also believe this to be unacceptable for consumers. Reportedly, customer and account information, including card numbers and email addresses, were viewed during this breach.[2] Obviously, the implications of this, combined with the lengthy delay, are troubling. As you know, over the last six years, there have been 288 publicly disclosed breaches at financial services companies that exposed at least 83 million customer records.[3] And just this weekend, the International Monetary Fund was hit by cyber hackers. This problem is widespread and must be properly addressed by all parties.

Put simply, Citigroup's customers should have been notified immediately that their personal and financial information was illegally viewed. While I understand that financial institutions may be hesitant to contact customers because they do not want to portray weaknesses in their operations, their number one concern must be their customers when these unfortunate crimes occur.

Can you please detail what steps you have taken to work with Citigroup to remedy this situation? Was the OCC aware of this breach when it initially occurred? Does the OCC believe that Citigroup properly followed existing privacy laws when waiting to notify their customers? In this situation, would penalties be appropriate?

Additionally, several press reports have noted regulatory gaps and other problems in preventing breaches such as these, which continue to occur. In 2005, the major credit card companies agreed to form a set of industry-wide security standards after a major breach occurred. Yet six years later, compliance is decidedly mixed with less than 60% of online merchants conforming.[4] Can the OCC comment on why industry adoption continues to lag? Given the increasing number of security breaches that have occurred, compliance would seem prudent. Are these standards out of date at this point?

And lastly, in light of this last breach, retailers have claimed that banks have little incentive to reduce fraud as retailers often pay the cost for fraudulently purchased items and banks also collect charge-back fees from merchants.[5] Do you agree or disagree with this view? What can be done to ensure that better preventive security measures like card chip technology are taken?

Along with Representatives McCaul and Lipinski, I have introduced bicameral legislation - The Cybersecurity Enhancement Act of 2011 - that would increase research and development efforts to strengthen the cybersecurity for federal networks and better enable the government, universities and the private sector to collaborate and easily share information.

I believe that instances such as the unfortunate breach at Citigroup underscore the immediate need for this type of legislation as well as strong federal protection for consumers as attacks continue to escalate.

Thank you for your attention to this matter and I look forward to your response.

Sincerely,

ROBERT MENENDEZ

United States Senator

[2] http://www.reuters.com/article/2011/06/09/uk-citi-hacking-idUSLNE75800H20110609

[3] http://www.nytimes.com/2011/06/10/business/10citi.html?pagewanted=print

[1] http://online.wsj.com/article/SB10001424052702304665904576382391531439656.html

[2] http://www.reuters.com/article/2011/06/09/uk-citi-hacking-idUSLNE75800H20110609

[3] http://www.nytimes.com/2011/06/10/business/10citi.html?pagewanted=print

[4] http://www.nytimes.com/2011/06/10/business/10citi.html?pagewanted=print

[5] http://www.nytimes.com/2011/06/10/business/10citi.html?pagewanted=print