The title says it all. “Can data breaches be prevented? Congress and companies answer: For now, no.” At a congressional hearing that took place Tuesday, February 4th through Wednesday, February 5th, executives from Target and Neiman Marcus reported that they are still in the dark as to how they could have better secured their consumers from cybercriminals. The breaches to the two industry titans occurred between July and October of 2013 for Neiman Marcus, who logged some 1.1 million customers whose payment card and personal information were hacked, and between Thanksgiving and December 8th of last year for Target, where payment card information of over 40 million customers and the personal contact information of some 70 million people was compromised. These recent hackings “compromised the privacy and security of millions of consumers… (and the ensuing) erosion of consumers’ confidence, with data breaches on the rise affecting retailers, Internet companies and others, could hinder the U.S. economy’s recovery,” said Sen. Patrick Leahy (D-VT), the chairman of the panel of the Senate Judiciary Committee hearing testimony from the Target and Neiman Marcus officials. Unfortunately for this situation, the primary legal tool against cyber criminals is the Computer Fraud and Abuse Act, which “mainly prohibits unauthorized access to a computer – a limited and increasingly outdated legal standard,” said Seattle U.S. Attorney and chair of the Attorney Generals cyber-crime enforcement advisory panel Jenny Durkin. As of now, there is no clear federal cybersecurity standard that dictates when or how customers must be informed in the event of a breach, and it is this that bothers me the most about this article. Yes, Congress is working on new legislation that would supposedly strengthen security protections for customers but is this really enough? The general consensus is that the companies were informed of the breach on or around the 12th of December; some customers were notified of the breach as late as January 10th, 2014, and some weren’t notified at all. Oddly enough, people who had never even shopped at Target or Neiman Marcus were among the recipients of an email stating that their information had been compromised because they “…very rarely do buy guest information,” admitted Target’s chief financial officer John Mulligan. To put it into perspective, we have data breaches whose ramifications reach tens of millions of people, an outdated federal standard regarding cybercrime, companies that fail to notify their consumers that their personal information has been compromised in a timely manner because of previously stated outdated federal standards…and the list goes on. These particular criminal justice agencies (the Senate Judiciary Committee and the Attorney General), in trying to wring as much information from the representatives from Target and Neiman Marcus so as to formulate preventative strategies in the hopes that an event this large scale and all-encompassing doesn’t happen again, I would be inclined to say that it appears that they are trying to cover their bases. Can data breaches be prevented? No. Are they trying very hard to fix this? Yes. Good times. Is it all enough? Quite probably, it is not. One of the solutions that will be implemented by Target in 2015 will be the changeover of the Target REDcard from “old fashioned magnetic-card strips designed in the ‘70’s” to “more secure chip-based cards in use in Europe and much of the rest of the world.” And that might be a step in the right direction for Target and Neiman Marcus, but what about other retail chains? This is a real threat that has every possibility of happening again. Witnesses to the hearing Wednesday are pushing for Congress to amend the CFAA to better reflect modern cybersecurity threats. Orin Kerr, a George Washington University Law school professor who specializes in criminal procedure and computer crime law and was present at the hearing said, “…the law has caused a circuit split in the meanings of certain syntax used…Congress could act and clarify the interpretation of the CFAA statute…and not just wait for the Supreme Court.” Banks and retailers alike are hesitating to make the switch to more secure technology because of the cost to make the transition. And that’s pretty much what it comes down to... Laws need updating, the perpetrator is still unknown, and change for the better involves money that is reluctantly spent. “In other words, we’re all vulnerable. And maybe your new password shouldn’t be ‘nupassword’.” (Melinda Henneberger)