WASHINGTON — A congressional hearing Wednesday examining data breaches at major retailers such as Target and Neiman Marcus turned up no evidence that those two companies should have known earlier what was happening, at least according to the man holding the gavel, Rep. Lee Terry.
“I didn’t hear a smoking gun,” the Omaha Republican told reporters after the hearing.
He also gave Target credit for cooperating with those on Capitol Hill.
“I think they’ve been forthcoming during our two conversations now, and they have promised that they will continue to be forthcoming,” Terry said.
He added that lawmakers will continue to monitor the situation as both Target and Neiman Marcus continue internal audits.
The sheer scale of the Target breach late last year, which involved stolen data for millions of customers across the country, has received widespread attention and left lawmakers seeking the best ways for government to respond.
Terry called Wednesday’s hearing to discuss the issue in his role as chairman of the Energy and Commerce Committee’s subcommittee on manufacturing, commerce and trade.
John Mulligan, Target’s executive vice president and chief financial officer, reiterated the company’s apology to customers on Wednesday and said the company is still looking into how it was unable to stop or at least limit the attack.
Law enforcement witnesses, including William Noonan, a top agent with the Secret Service’s cyber operations, indicated that Target’s robust cyber protections were defeated by a highly sophisticated and specifically tailored attack that originated from somewhere outside the country.
Overall, witnesses at the hearing said sophisticated attacks are on the rise. They said no single silver bullet exists to counter them, although other countries have implemented more advanced technology that can make cyberdata plundering tougher.
Congress will wrestle in the coming months with how it might tackle the issue. Some ideas include national standards on what cybersecurity companies must maintain and national requirements for notifying customers when data security breaches occur.
One member of the subcommittee on Wednesday pressed witnesses on why the marketplace can’t handle the security issues on its own.
After all, the lawmaker said, customers can read headlines and choose to spend their money only at those stores with good security track records.
Terry said after the hearing that he’s typically sympathetic to a free-market argument, but that in this case consumers often don’t have enough information to make that kind of decision.
So some level of federal involvement might be appropriate, he said, although he said there’s a limit to what government can do well.
“I don’t believe that we can solve this whole problem by codifying detailed, technical standards or with overly cumbersome mandates,” Terry said. “Flexibility, quickness and nimbleness are all attributes that absolutely are necessary in cybersecurity but run contrary to the government’s abilities.”
While a number of proposals are being kicked around the Senate as well, Terry said the House is not likely to simply copy those ideas. Instead, he said, he will work on legislation that reflects internal, bipartisan House discussions.
“We’ll blaze our own path,” Terry said.