(Washington, DC) – In a letter to Federal Trade Commission (FTC) Chairwoman Edith Ramirez, U.S. Senators Richard Blumenthal (D-Conn.) and Edward Markey (D-Mass.) today called on the FTC to investigate and address the recent data breach at Home Depot. The possibility of a data breach was first disclosed last Tuesday on the security blog Krebs on Security, and was confirmed yesterday by Home Depot. The data breach may have affected Home Depot’s almost 2,200 stores in the U.S. and Canada, and transactions dating back to April.
“We are concerned that the retailer’s procedures for detecting and stopping operations to steal customer data are inadequate and we call on the Commission to investigate whether Home Depot’s security procedures meet a reasonable standard,” Blumenthal and Markey wrote. “If Home Depot failed to adequately protect customer information, it denied customers the protection that they rightly expect when a business collects such information. Such conduct is potentially unfair and deceptive, and therefore could violate the FTC Act”
In February, Senators Blumenthal and Markey introduced thePersonal Data Protection and Breach Accountability Act. This bill would help protect consumers’ personal and financial information from hackers through a multi-pronged approach that combats the risks associated with data breaches by holding those who fail to deter preventable data breaches accountable, minimizing consumer harm in the event of a data breach, and promoting technical information sharing among companies to help prevent future breaches.
The full text of the letter is below:
September 9, 2014
The Honorable Edith Ramirez, Chairwoman
Federal Trade Commission
600 Pennsylvania Avenue NW
Washington, DC 20580
Dear Chairwoman Ramirez:
We write to urge you to immediately open an investigation regarding the data breach at Home Depot. The Federal Trade Commission (the FTC or the Commission) has the authority and the responsibility to investigate and address this kind of event, and we strongly encourage you to quickly look into this case.
As reported in the Los Angeles Times (“Possible Data Breach at Home Depot Highlights Retailers’ Vulnerability”, September 4, 2014), Home Depot’s cybersecurity system is ranked behind that of other retailers. According to this report, Home Depot takes 1.3 days to clear malware from its system, lagging behind the retail industry average of one day. Online discussions of vulnerabilities on Home Depot’s website date back to 2008. These revelations raise serious concerns about Home Depot’s responsiveness to potential attacks, particularly in light of other retailers that have recently been targeted by hackers.
As you know, Section 5 of the Federal Trade Commission Act (15 U.S.C. § 45) gives the FTC jurisdiction to investigate companies’ privacy and information security policies, procedures, and practices. Given the unprecedented scope and extended duration of Home Depot’s data breach, it appears that Home Depot may have failed to employ reasonable and appropriate security measures to protect sensitive personal information.
Furthermore, it is troubling that Home Depot has not yet been able to confirm that it has successfully shut down the data breach. This means that its customers may continue to be at risk of having their personal information stolen. We are concerned that the retailer’s procedures for detecting and stopping operations to steal customer data are inadequate and we call on the Commission to investigate whether Home Depot’s security procedures meet a reasonable standard. If Home Depot failed to adequately protect customer information, it denied customers the protection that they rightly expect when a business collects such information. Such conduct is potentially unfair and deceptive, and therefore could violate the FTC Act.
As the FTC has recognized in the past, data breaches expose consumers to significant and potentially permanent economic harm. Home Depot customers who have their data misused by hackers and thieves risk losing their good credit and in turn, their ability to secure the goods and services they need for their wellbeing and the wellbeing of their families. Even customers whose stolen data is never ultimately misused must live with the fear and uncertainty of knowing their personal information may be circulating for sale on the Internet.
While it is clear that the FTC has the authority to investigate breaches like this one, it is equally clear that the Commission needs additional authority to impose sanctions sufficient to fully punish and deter the conduct that leads to such breaches. The breach at Home Depot highlights how vast and damaging data breaches can be. The FTC should be able to respond to breaches like this with penalties commensurate with the potential harm. We look forward to working with our colleagues in Congress and with the Commission to ensure that the Commission has all the enforcement authority it needs to carry out its mission effectively.
The millions of Americans who today are wondering whether their personal information is in the hands of hackers and thieves deserve prompt notification from Home Depot, and the FTC should do everything in its power to protect consumers. We know the Commission takes data breaches seriously, and we look forward to working with you to understand what happened at Home Depot and to prevent any such breach from happening in the future.
United States Senate
EDWARD J. MARKEY
United States Senate