Compelling Compliance Via Regulations

Senator Speaks Out on Funding Cybersecurity Initiatives

By , June 22, 2011.
Compelling Compliance Via Regulations

Sen. Robert Menendez says regulators should have the power to compel banks to toughen IT security and offer timely customer notification of a breach. But if they don't, the Banking Committee member says in an interview, they should come to Congress to get that authority.In an interview with Information Security Media Group, the New Jersey Democrat also explains why the estimated $1 billion cost of the Cybersecurity Enhancement Act he's sponsoring is justified at a time of fiscal constraint (see Congress Resurrects Cybersecurity Enhancement Act).

Menendez, who serves on the Senate Banking Committee as well as its Subcommittee on Financial Institutions and Consumer Protection, has asked the Office of the Comptroller of the Currency to investigate the recent breach at Citigroup, pointing out the bank failed to notify immediately hundreds of thousands of customers whose account were exposed (see Citi Breach: 360K Card Accounts Affected).

The breach occurred on May 10, but wasn't made public until a month later. "If the public reports are true, that Citigroup waited for weeks, then it's unacceptable," Menendez says in an interview. "It seems to me at a minimum. regulators should insist that financial institutions in short order notify their customers of any breach so that they can take appropriate actions in protecting their own identity information that may very well create a risk to them." Menendez says he's dismayed that banks are reluctant to provide breach notification in a timely manner. "That has to end," he says. "I'd love to see it as an industry initiative, but in the absence of that, we will push the regulators to make sure there is a timely notification. Also, what do regulators know and when did they know it because obviously they should be very much aware of what's happening as well."

Also in the interview, with's Eric Chabrow, Menendez explains that despite budget constraints, the government must invest in initiatives aimed to secure government IT and the nation's critical information infrastructure. "How could the nation afford not to have what we're trying to accomplish under the Cybersecurity Enhancement Act?"

No area should be sacrosanct from potential budget cuts, including Defense and cybersecurity. "The question is how do we do this in a way that both is cost efficient and at the same time deals with the proactive view of how we have the prevention that would avoid us from spending a lot more in the long term," he says. "When I look at what our bill does and what other bills do, in my mind we are focused on maximizing the potential with the least possible cost. What do I say that? Part of what we do is encourage coordination and prioritization of federal cybersecurity research and development. We improve the transfer of cybersecurity technologies to the marketplace. And, we promote cybersecurity education and awareness for the public. Now, not all of that necessarily needs money; on the contrary, when we create coordination and prioritization of R&D, when we improve the transfer of cybersecurity technologies to the marketplace, I think we can realize savings."

The senator also discusses the hack of the Senate website, a breach claimed by the hacking group LulzSec (see LulzSec: Senate, Sony Hackers Profiled). "It just makes the case why we need to be vigorous in our enforcement,' he says.

Menendez, 57, served as member of the House of Representatives for 13 years until he was appointed to the Senate in January 2006 to replace Jon Corzine, who had just become New Jersey's governor. He was elected to a full, six-year term in November 2006.

Menendez also serves on the Finance and Foreign Relations committees. He chairs Banking's Subcommittee on Housing, Transportation and Community Development and Foreign Relations' Subcommittee on Western Hemisphere, Peace Corps and Global Narcotics Affairs.

Follow Eric Chabrow on Twitter: @GovInfoSecurity

  • Print
  • Tweet Like LinkedIn share
Get permission to license our content for reuse in a myriad of ways.
ARTICLE How to Check a Device's 'Reputation'

One key fraud-prevention strategy for card issuers is to check the "reputation" of the device...

Latest Tweets and Mentions

ARTICLE How to Check a Device's 'Reputation'

One key fraud-prevention strategy for card issuers is to check the "reputation" of the device...

The ISMG Network