(Hartford, CT) – In a letter to the Federal Trade Commission (FTC), U.S. Senator Richard Blumenthal (D-Conn.) today called for an investigation into Target Corporation’s data security policies and practices following news of a massive security breach earlier this week that may have exposed the personal credit and debit card information of up to 40 million Target customers.
Full text of the letter is below:
December 22, 2013
The Honorable Edith Ramirez, Chairwoman
Federal Trade Commission
600 Pennsylvania Avenue NW
Washington, DC 20580
Dear Chairwoman Ramirez:
I write to urge you to immediately open an investigation into Target Corporation’s recent reported data security breach, which may have exposed the credit and debit card information of 40 million Target customers this holiday season. If Target failed to adequately and appropriately protect its customers’ data, then the breach we saw this week was not just a breach of security; it was a breach of trust. The Federal Trade Commission (the FTC or the Commission) has the authority and the responsibility to investigate and address this kind of event, and I urge you to look into this case immediately.
As you know, section 5 of the Federal Trade Commission Act (15 U.S.C. § 45) gives the FTC jurisdiction to investigate companies’ privacy and information security policies, procedures, and practices. Given the scope and duration of Target’s recent data breach, it appears that Target may have failed to employ reasonable and appropriate security measures to protect personal information. A breach of this size indicates that somebody gained extensive and unfettered access to customer information held by Target. The fact that the intrusion lasted for more than two weeks indicates that Target’s procedures for detecting and shutting down an effort to steal customer data does not live up to a reasonable standard. If Target failed to adequately protect customer information, it denied customers the protection that they rightly expect when a business collects their personal information. Its conduct would be unfair and deceptive, and it would clearly violate the FTC Act.
As the FTC has recognized in the past, data breaches—and particularly breaches of the size and scope of the Target breach—expose consumers to significant and potentially permanent harm. Those Target customers who have their data misused by hackers or thieves could lose their good credit and in turn their ability to purchase the goods and services they need for their wellbeing and the wellbeing of their families. Even customers whose stolen data will never ultimately be misused must live with the fear and uncertainty of knowing that it could be.
While it is clear that the FTC has the authority to investigate breaches like the one that occurred at Target stores, it is equally clear that the Commission needs additional authority to impose sanctions sufficient to fully punish and deter the conduct that leads to such breaches. The breach at Target highlights how vast and damaging data breaches can be. The FTC should be able to respond to breaches like this with penalties commensurate to the potential harm. I look forward to working with my colleagues in the Congress and with the Commission to ensure that the Commission has all the sanction authority it needs to carry out its mission effectively.
The 40 million Americans who today are wondering whether their personal information is in the hands of hackers and thieves deserve to know that the FTC is getting to the bottom of the situation. I know the Commission takes data breaches seriously, and I look forward to working with you to understand what happened at Target and to prevent any such breach from happening in the future.