MRI-ISAC would enable stores and businesses to protect from cyber threats
February 11, 2014
Chairman Edith Ramirez
Federal Trade Commission
600 Pennsylvania Avenue, NW
Washington, D.C. 20580
Dear Chairwoman Ramirez:
In light of the recent data breaches that occurred at the end of 2013 and early 2014 at a number of merchants, and to follow up on information we received at our hearing on February 3, we write to urge the Federal Trade Commission to support the establishment of a Merchant and Retail Industry Information Sharing and Analysis Center (ISAC), or â€œMRI-ISACâ€.
Similar to other sixteen existing ISACs, such as the Financial Institutions ISAC (â€œFI-ISACâ€), representing critical infrastructure industries of our country, the MRI-ISAC could receive alerts and information from a number of sources, including government agencies and law enforcement, and provide valuable information regarding emerging cyber threats, vulnerabilities, and risk information about cyber and physical security risks faced by the merchant and retail industry.Â The MRI-ISAC could then provide education to ISAC members on best practices and the most effective security measures.Â The MRI-ISAC could also be used to quickly disseminate information about suspected malware and cyber crime activity throughout the industry to better protect the systems, to mitigate the damage spread to other merchants and retailers, and ultimately to mitigate the damage to the number of consumers impacted.
The MRI-ISAC would also establish a database to collect information on the thousands of threats and vulnerabilities for years of data to be used in investigations by members.Â Further, the database will further the analysis efforts to establish trends, do research and conduct investigations.
A number of industries have utilized ISACs because of the sensitive information their industry either stores or handles.Â It is logical for these firms to take these additional security measures and safeguards, and as the payment systems evolve it is becoming more evident that others that store and/or handle similar sensitive information could also benefit from the formation of an ISAC for their industry.
Several industry ISACs, including the financial services ISAC, have official government sponsors.Â As the government agency responsible for responding when a merchant breach occurs, we urge the FTC to become the official government sponsor for an MRI-ISAC and assist industry coordinate efforts to establish an MRI-ISAC.