Kirk, Warner urge establishment of merchant and retail industry information sharing analysis center

MRI-ISAC would enable stores and businesses to protect from cyber threats

WASHINGTON, DC – U.S. Senators Mark Kirk (R-Ill.) and Mark Warner (D-Va.) sent a letter to Federal Trade Commission Chairman Edith Ramirez to request the establishment of a Merchant and Retail Industry Information Sharing Analysis Center (MRI-ISAC), which would enable stores and businesses to share threats and vulnerabilities before hackers strike. Following the Target and Neiman Marcus data breaches last year, Kirk and Warner held a National Security and International Trade and Finance Banking Subcommittee hearing to address the ongoing threat of cyber hackers.
“There has been a 30-percent increase in data breaches from 2012 to 2013, with more than 100 million people affected by the recent Target and Neiman Marcus data breaches,” Senator Kirk said. “That is why we are calling for Target and other large retailers that handle sensitive personal information to establish an MRI-ISAC, which will enable stores and businesses to share threats and vulnerabilities before these hackers strike again. The more information that is shared amongst these retailers, the safer American consumers will be.”
“Establishing an ISAC will enable the retail industry to share information that can help prevent the types of widespread consumer data theft we have seen in recent months,” Senator Warner said. “The private sector should work together to be more responsive to the serious threats consumers face from data breaches. “
A number of industries utilize ISACs, due to the sensitive nature of the information they handle. There are currently 16 other existing ISACs, which represent critical industries in our country. Cyber threats and hackers are often discovered through these centers, and the information is then shared with the institutions in order to combat these attacks.
A copy of the letter is below:

February 11, 2014

Chairman Edith Ramirez

Federal Trade Commission

600 Pennsylvania Avenue, NW

Washington, D.C. 20580

Dear Chairwoman Ramirez:

In light of the recent data breaches that occurred at the end of 2013 and early 2014 at a number of merchants, and to follow up on information we received at our hearing on February 3, we write to urge the Federal Trade Commission to support the establishment of a Merchant and Retail Industry Information Sharing and Analysis Center (ISAC), or “MRI-ISAC”.

Similar to other sixteen existing ISACs, such as the Financial Institutions ISAC (“FI-ISAC”), representing critical infrastructure industries of our country, the MRI-ISAC could receive alerts and information from a number of sources, including government agencies and law enforcement, and provide valuable information regarding emerging cyber threats, vulnerabilities, and risk information about cyber and physical security risks faced by the merchant and retail industry.  The MRI-ISAC could then provide education to ISAC members on best practices and the most effective security measures.  The MRI-ISAC could also be used to quickly disseminate information about suspected malware and cyber crime activity throughout the industry to better protect the systems, to mitigate the damage spread to other merchants and retailers, and ultimately to mitigate the damage to the number of consumers impacted.

The MRI-ISAC would also establish a database to collect information on the thousands of threats and vulnerabilities for years of data to be used in investigations by members.  Further, the database will further the analysis efforts to establish trends, do research and conduct investigations.

A number of industries have utilized ISACs because of the sensitive information their industry either stores or handles.  It is logical for these firms to take these additional security measures and safeguards, and as the payment systems evolve it is becoming more evident that others that store and/or handle similar sensitive information could also benefit from the formation of an ISAC for their industry.

Several industry ISACs, including the financial services ISAC, have official government sponsors.  As the government agency responsible for responding when a merchant breach occurs, we urge the FTC to become the official government sponsor for an MRI-ISAC and assist industry coordinate efforts to establish an MRI-ISAC.