WASHINGTON – U.S. Sens. Mark Warner (D-VA) and Mark Kirk (R-IL) today sent a bipartisan letter to the head of the Federal Trade Commission requesting establishment of a Merchant and Retail Industry Information Sharing Analysis Center (MRI-ISAC), which would allow stores and retail businesses to share threats and vulnerabilities about data breaches and hacking attempts. Earlier this month, Sen. Warner led a Banking subcommittee hearing on recent data breaches impacting millions of customers at Target, Neiman Marcus and other leading national retailers.
"Establishing this center will allow the retail industry to better share information that could help prevent the types of widespread consumer data thefts we now are seeing," Senator Warner said. "’Forewarned is forearmed,’ and the private sector should consider establishing this framework so they can share up-to-date information about the serious and growing threat of hacking, cyber and identity theft.”
"There has been a 30-percent increase in data breaches from 2012 to 2013, with more than 100 million people affected by the recent Target and Neiman Marcus data breaches," Senator Kirk said. "That is why we are calling for Target and other large retailers that handle sensitive personal information to establish an MRI-ISAC, which will enable stores and businesses to share threats and vulnerabilities before these hackers strike again. The more information that is shared amongst these retailers, the safer American consumers will be."
A number of industries utilize ISACs, due to the sensitive nature of the information they handle. There are currently 16 other existing ISACs, which represent critical industries in our country. Cyber threats and hackers are often discovered through these centers, and the information is then shared with the institutions in order to combat these attacks.
Text of the letter is below:
February 11, 2014
Chairman Edith Ramirez
Federal Trade Commission
600 Pennsylvania Avenue, NW
Washington, D.C. 20580
Dear Chairwoman Ramirez:
In light of the recent data breaches that occurred at the end of 2013 and early 2014 at a number of merchants, and to follow up on information we received at our hearing on February 3, we write to urge the Federal Trade Commission to support the establishment of a Merchant and Retail Industry Information Sharing and Analysis Center (ISAC), or “MRI-ISAC”.
Similar to other sixteen existing ISACs, such as the Financial Institutions ISAC (“FI-ISAC”), representing critical infrastructure industries of our country, the MRI-ISAC could receive alerts and information from a number of sources, including government agencies and law enforcement, and provide valuable information regarding emerging cyber threats, vulnerabilities, and risk information about cyber and physical security risks faced by the merchant and retail industry. The MRI-ISAC could then provide education to ISAC members on best practices and the most effective security measures. The MRI-ISAC could also be used to quickly disseminate information about suspected malware and cyber crime activity throughout the industry to better protect the systems, to mitigate the damage spread to other merchants and retailers, and ultimately to mitigate the damage to the number of consumers impacted.
The MRI-ISAC would also establish a database to collect information on the thousands of threats and vulnerabilities for years of data to be used in investigations by members. Further, the database will further the analysis efforts to establish trends, do research and conduct investigations.
A number of industries have utilized ISACs because of the sensitive information their industry either stores or handles. It is logical for these firms to take these additional security measures and safeguards, and as the payment systems evolve it is becoming more evident that others that store and/or handle similar sensitive information could also benefit from the formation of an ISAC for their industry.
Several industry ISACs, including the financial services ISAC, have official government sponsors. As the government agency responsible for responding when a merchant breach occurs, we urge the FTC to become the official government sponsor for an MRI-ISAC and assist industry coordinate efforts to establish an MRI-ISAC.