Consumer Federation of California

Lawmakers pushed on Tuesday for ways to prevent the kind of consumer data breaches that claimed voluminous amounts of information during the recent holiday season.

Over a few weeks spanning the end of November to mid-December, hackers wielding malware programs penetrated Target’s point-of-sale systems and purloined credit and debit card data for some 40 million American customers. An additional 70 million Target shoppers had additional personal information stolen. Neiman Marcus and Michaels Stores also saw consumer data lifted.

It wasn’t the first time data breaches have endangered personal information. Attorney General Kamala Harris estimated last year that 2.5 million Californians had their privacy compromised, with retailers the most frequent target of attacks.

“We have to continue to believe that criminals will devote their time to trying to gain access to our personal information,” Assemblyman Roger Dickinson, D-Sacramento, said on Tuesday, adding that the data breaches “demonstrated new levels of sophistication as well as pointing out weaknesses in our current payment system.”

Dickinson and Assemblyman Bob Wieckowski, D-Fremont, have co-sponsored legislation dealing with data breaches, including requirements around notifying consumers of an incident. Sen. Hannah-Beth Jackson, D-Santa Barbara, also has a bill intended to safeguard credit card information.

Critics faulted Neiman Marcus for taking weeks to publicly acknowledge its data breach. Some speakers advocated requiring businesses to quickly inform customers of data thefts, saying it would help keep consumers informed and give businesses an incentive to shore up security and avoid damaging disclosures.

“Last year there were 619 data breaches in the United States,” said Diana Dykstra, chief executive officer of the California Credit Union League. “People say, ‘yes, the retailers want to notify,'” she continued. “Can you name 619? I surely can’t.”

Imposing more robust data security requirements on California businesses, including rules governing encryption of consumer data, could help prevent future data thefts, according to some witnesses.

“We have low-hanging fruit from a simple technical perspective,” said Lee Tien of the Electronic Frontier Foundation.

But industry representatives warned of overly rigid requirements, describing a constantly evolving struggle between businesses trying to protect their data and hackers looking for vulnerabilities to exploit.

“Legislatively mandated technology standards, anti-fraud methods is a roadmap for fraudsters,” said Alex Alanis, a lobbyist for the California Bankers Association. “It also freezes in how we combat criminals.”

Lawmakers also pressed witnesses for more information on converting from credit cards containing personal information in a magnetic stripe, the current industry standard, to more sophisticated cards using microchip processor, technology commonly referred to as “EMV.”

Witnesses at the hearing broadly agreed that the EMV technology, widespread in Europe, is more secure than magnetic stripe cards. Visa has adopted a policy encouraging merchants to accommodate the new cards by 2015. Still, some speakers said EMV cards would not have prevented the Target breaches.

Wieckowski launched the hearing by chastising Target and Neiman Marcus for declining to testify after having gone before Congress earlier in February. Industry representatives warned at that hearing that sophisticated hackers had become adept at circumventing security measures.

“It’s a little slap on the face for the people of California,” Wieckowski said ahead of the hearing.