Citigroup discovered on May 10 that hackers had gained access to its credit card customers accounts but did not begin sending out notification letters to customers until June 3 and did not make an official statement on its website until June 15 about the breach.
Menendez chastised Citigroup for the delay and noted that his chief of staff had his Citi credit card account compromised, but only found out when he tried to use the card and it was declined. He called Citigroup and found out his account had been hacked, according to a report on the hearing by IDG News.
The senator then asked one of the hearing participants, Leigh Williams, president of the BITS division of the Financial Services Roundtable, whether he thought a month was an “appropriate time frame” for banks to notify customers of breaches.
"I think that as soon as an institution understands what has occurred, they have an obligation to notify their regulators, under regulatory rules, and they have a fiduciary and a business responsibility to notify customers if there's any way those customers can begin to take action to protect themselves", Williams was quoted by IDG News as saying.
Sen. Menendez said he introduced legislation, the Cybersecurity Enhancement Act, that would provide additional money for cybersecurity research and development.
Sen. Patrick Leahy (D-Vt.), chairman of the Senate Judiciary Committee, recently introduced a bill, Personal Data Privacy and Security Act, that would impose criminal penalties on corporate directors who fail to notify customers of cybersecurity breaches of personal information.
The bill would also establish a national standard for data breach notification, and require US businesses that collect and store consumers’ sensitive personal information to safeguard that information from cyber threats.
Leahy has also introduced a bill that would update the Electronic Communications Privacy Act by improving privacy protections for consumers electronic communications and clarifying legal standards for the government to obtain this information.