Sen Menendez: New Cybersecurity Regulations Needed for Banks

Current regulations aren't enough to warn customers and protect them against data breaches at financial institutions, said Sen Robert Menendez (D-NJ) during a Senate Banking, Housing and Urban Affairs Committee hearing.

He questioned why Citigroup took about a month to report a breach affecting more than 360,000 credit card accounts in North America. Citigroup, which confirmed the breach in early June, never notified Menendez's chief of staff that his account was compromised, Sen Menendez said. The staffer attempted to use his credit card and was declined, then called Citigroup to discover his account was hacked, Sen Menendez said. "It seems to me there is a fiduciary responsibility by the [financial] entity to proactively tell their customer that has happened," he said. Sen Menendez called for a national law requiring breached businesses to notify affected customers. More than 45 states have breach notification laws, making it difficult for businesses to comply with all of them, said Stuart Pratt, president and CEO of the Consumer Data Industry Association, a trade group representing data brokers. Sen Menendez also called on the Senate to pass his Cybersecurity Enhancement Act, which would allocate new money for cybersecurity research and scholarships. But Marc Rotenberg, president of the Electronic Privacy Information Center (EPIC), warned lawmakers to avoid preempting strong state laws with a weak federal data-breach notification law.