In a hearing Wednesday, Chairman Jay Rockefeller, D-W.Va., highlighted legislation he has introduced that would require the Federal Trade Commission to establish national standards for companies to adopt basic security protocols and to notify consumers in the event of the breach.
"The truth is that private companies like Target hold vastly larger amounts of sensitive information about us than the government does," Rockefeller said. "And they spend much less time and money protecting their sensitive data than the government does."
"Target must be a clarion call to businesses, both large and small, that it’s time to invest in some changes."
Some 110 million people may have been affected in the breach in November, in which hackers were able to establish malware on Target's point-of-service modules in the checkout lines of their stores, stealing the credit card information of 40 million people and personal information of another 70 million.
But ineffective data security is far from limited to Target, the University of Maryland, Snapchat and other high-profile incidences in the last year. According to FTC Chairwoman Edith Ramirez, 16.6 million people in the U.S. -- some 7 percent of residents over the age of 16 -- were victims of identify theft in 2012.
"Never has a need for legislation been greater," Ramirez said.
"With reports of data breaches on the rise, and with a significant number of Americans suffering from identify theft, Congress must act," she said. "Companies are continuing to underinvest in security, and that's why we think more needs to be done."
Ramirez told the committee the agency would require the authority to impose civil penalties, the flexibility to implement legislation, jurisdiction over nonprofits, as well as for-profit companies.
Ranking member John Thune, R-S.D., joined his committee colleague in calling for federal standards to replace the current patchwork of separate rules for 46 states and the District of Columbia. Thune cosponsored legislation of his own last year, and the Commerce committee has made at least two other attempts in the past decade, without success.
Analysis of the Target breach uncovered information that the company was warned by its security software in November when the hackers installed their malware into the system by using an HVAC vendor's credentials to access the network. But they failed to respond to the alerts, according to a report released by Rockefeller's office and confirmed by Target CFO John Mulligan, who testified before the committee Wednesday.
"The reality is that our systems were breached," Mulligan said. "To prevent this from happening again, none of us can go it alone."