U.S. spy chiefs call for action on data breach disclosure

By Lawrence Hurley and Mark Hosenball WASHINGTON (Reuters) - U.S. spy agency chiefs on Wednesday called on Congress to draft stricter requirements for how retailers and other private businesses should inform government agencies and customers about big breaches of personal and financial data. The intervention by intelligence chiefs came as Attorney General Eric Holder confirmed that the Justice Department was investigating the massive hacking of consumer data from No. 3 U.S. retailer Target Corp during the holiday shopping season late last year. Also on Wednesday, several congressional committees signaled growing interest in recent data breaches, with the powerful House Oversight Committee scheduling a telephone briefing on Thursday with Target representatives. Separately, at Wednesday's threat hearing before the Senate Intelligence Committee, Barbara Mikulski of Maryland, where the National Security Agency is headquartered, asked intelligence chiefs if media leaks by former NSA contractor Edward Snowden had affected U.S. cybersecurity efforts. "Is the impact of the Snowden affair slowing us down in our work to be more aggressive in the cybersecurity area?" Mikulski asked. FBI Director James Comey said political uproar over surveillance and Snowden's leaks had complicated discussions about how to fight consumer data breaches. "There is the threat of fraud and theft because we've connected our lives to the Internet," Comey said. "We need to make sure that the private sector knows the rules of the road and how we share that information with the government." Some U.S. officials with responsibility for cybersecurity have complained privately that, while states have created a "patchwork" of local rules requiring businesses to report breaches of consumer data to authorities and the public, there are no similar federal requirements. Congress has been wrestling for years with proposals for legislation on data security, but has been unable to reach agreement. There is no national standard to govern how and when businesses that suffer consumer data breaches must advise their customers and agencies like the U.S. Secret Service and FBI. HOLDER CONFIRMS PROBE Holder, testifying at a Senate Judiciary Committee hearing, said the Justice Department would seek the perpetrators of the Target breach as well as "any individuals and groups who exploit that data via credit card fraud." "While we generally do not discuss specific matters under investigation, I can confirm the department is investigating the breach involving the U.S. retailer, Target," Holder said. Target has said a breach of its networks resulted in the theft of about 40 million credit and debit card records and 70 million other records with customer information such as addresses and telephone numbers. The Secret Service has taken the lead investigating the recently revealed data breaches at Target and other retailers, including Neiman Marcus and Michaels Companies Inc, the largest U.S. arts and crafts retailer. Reuters reported on January 23 that the FBI also warned U.S. retailers to prepare for more cyber attacks after discovering about 20 hacking cases over the past year that involved the same kind of malicious software used against Target during the holiday shopping season. Numerous congressional committees are accelerating efforts to gather more information about the data breaches. Democrat Jay Rockefeller, chairman of the Senate Judiciary Committee, took a new tack this week, asking Target why the company had not yet reported its data breach to the U.S. Securities and Exchange Commission. "Your failure thus far to provide this information to your investors does not seem consistent with the spirit or the letter of the SEC's financial disclosure rules," Rockefeller wrote in the three-page letter to Target's chief executive. Target closed at $56.89 per share on the New York Stock Exchange on Wednesday, down 1.7 percent, after reaching its lowest level since July 2012. In the House of Representatives, Democratic members of the Energy and Commerce Committee on Wednesday asked Neiman Marcus for documents relating to the upscale retailer's recent cybersecurity breach. Last week, the same lawmakers asked Target executives for more documents related to its massive data breach. Earlier this month, Neiman Marcus said about 1.1 million customer payment cards may have been affected in a breach last year. On Thursday, members of the House Oversight Committee, which has broad investigative jurisdiction, are scheduled to hold a telephone briefing with Target representatives, during which detailed questions are expected to be asked about how and why recent data breaches occurred. Target spokeswoman Molly Snyder did not give details on upcoming meetings but reiterated that Target was "continuing to work with elected officials to keep them informed and updated as our investigation continues." Three Congressional panels are slated to hold hearings, beginning next week. On Monday, the Senate Banking Committee is scheduled to hear from witnesses representing the Secret Service, Federal Trade Commission, and lobbying groups. On Tuesday, the Senate Judiciary committee is expecting to take testimony from Target's chief financial officer. The House Energy and Commerce Committee is expected to hold its own hearing next week. Neiman Marcus has been invited to that hearing but the company has not yet confirmed its attendance, said a spokeswoman for the panel's top Democrat, Henry Waxman. A Neiman Marcus representative did not respond to requests for comment on Wednesday. (Additional reporting by Susan Heavey, Alina Selyukh and Jim Finkle; Editing by Howard Goller, Ros Krasny, Bernadette Baum and Tom Brown)