Stars aligning for data security legislation

After headline-grabbing hacks at familiar retailers, lawmakers and analysts say the time could be right for a new data security law.

This week, three different committees in Congress will probe whether a new federal law might need to be enacted to protect shoppers' data. Since more than 100 million people may have had their data stolen in recent weeks, advocates say now is as good a time as any.

ADVERTISEMENT

“These threats affect everybody," said Delara Derakhshani, policy counsel with Consumers Union, the advocacy arm of Consumer Reports. “So policymakers and regulators and legislators I think are aware of this... We do think that the time is right, right now, especially in light of all these revelations."

Late last year, Target announced that hackers had infiltrated its database and stolen millions of customers’ financial information. Eventually, the company revealed that details about as many as 110 million people’s credit cards, addresses, phone numbers or other sensitive data may have been stolen. Possible data breaches have since been reported by Neiman Marcus and Michaels.

A flurry of bills has been introduced and reintroduced since news of the Target hack, but a consensus has yet to emerge about precisely what role the government should play to protect customers’ financial data.

One aspect many of the efforts have in common is a national standard to notify customers after a data breach. Currently, 46 states and the District of Columbia have notification laws, but national and regional retailers complain that fact forces them to spend valuable time complying with the patchwork of laws rather than focusing on protecting against intrusions and repairing the damage after breaches are detected.

“Ideally it wouldn’t take an event such as this to spur action,” said Brian Dodge, a senior vice president at the Retail Industry Leaders Association, which counts Target, Walmart and Home Depot among its members.

“We’ve long said that action is needed and hopefully we can see passage of data breach notification legislation this year, see passage of cybersecurity this year -- smart policy that improves the situation, works in the real world.”

Sens. Tom CarperThomas (Tom) Richard CarperOvernight Energy & Environment — Lummis holds up Biden EPA picks GOP senator blocks Biden EPA nominees over coal plant decision Biden raises vehicle mileage standards, reversing Trump rollback MORE (D-Del.) and Roy BluntRoy Dean BluntJohnson, Thune signal GOP's rising confidence Senate Minority Whip Thune, close McConnell ally, to run for reelection The end of orphanages starts with family strengthening programs MORE (R-Mo.) this month introduced the Data Security Act, which would require businesses and financial institutions to have privacy protections, investigate any breaches and notify consumers if there is a substantial risk of fraud or theft.

Kenneth Clayton, an executive vice president and chief counsel at the American Bankers Association, said that measures like that would help shift the burden off financial institutions that have complained about the cost of responding to breaches, and make sure that stores are also held accountable.

“We think it's important that essentially everybody up their game,” he said. “Whether it's through legislation or through industry action or otherwise, we think it's important that it occur regardless.”

Another bill introduced last week by Senate Commerce Committee Chairman Jay RockefellerJohn (Jay) Davison RockefellerDemocrats look to scale back Biden bill to get it passed Humorless politics a sad sign of our times Bottom Line MORE (D-W.Va.) and three other Democrats would empower the Federal Trade Commission (FTC) to set data security standards for companies to meet, in addition to setting a national breach notification standard.

Some in the cybersecurity industry think that having the government write standards would be an overstep that could make data networks less secure.

“The idea that the government would do a better job than private industry is a horrible idea,” said John Kindervag, a principal analyst at the advisory firm Forrester Research.

“The government tends to do what I call ‘compliance by cheerleading,’” he added. “It’s good stuff but either, if they tell you something specific, it’s so old and clunky it goes back to last century or it’s so high-level that no one knows actually how to implement it.”

In the past, the FTC has taken action against companies for having lax data security standards. After news of the Target breach became public, Sen. Richard Blumenthal (D-Conn.) urged it to investigate whether the firm was doing all it could to protect data.

An FTC spokesman said that the commission would not comment on its investigations unless and until formal action is taken.

Its authority to take action against companies for not protecting customers’ data is not entirely settled, however. The FTC is facing legal challenges to some of its recent actions from the resort company Wyndham Worldwide and the medical testing company LabMD.

Jessica Rich, the head of the FTC’s consumer protection bureau, said last week that protecting sensitive financial and health information is one of the commission’s main agenda items for 2014.

“The FTC has long been concerned that this type of sensitive data warrants special protections,” she said, according to prepared remarks.

Rich added that even though the agency has taken hundreds of legal actions on privacy and data security cases, many FTC officials nonetheless “strongly support” potential new laws to protect consumers whose data is held by companies.

Lawmakers are also pushing private sector companies to act on their own, especially when it comes to credit card technology.

Credit cards with embedded microchips are considered more secure than those used in the U.S. which use a magnetic strip. Cards with a chip are popular throughout Europe and elsewhere but have yet to make inroads stateside.

That could soon change. Major credit card companies are planning to shift over liability for fraud cases unless retailers adopt the new cards by October of 2015. 

Paul Smocer, president of the Financial Services Roundtable’s technology policy division, said that change would be “a good step forward,” but it would not go all the way.

Retailer trade groups have urged companies to adopt chip-based cards that also require users to input a PIN number, like users do with debit cards.

“If you have that, you have a pretty fraud-resistant program that’s been set up,” said Mallory Duncan, senior vice president and general counsel with the National Retail Federation.

Duncan and the FTC’s Rich are scheduled to testify at a Senate Banking subcommittee hearing on Monday. Derakhshani, with Consumers Union, is scheduled to appear at a Tuesday hearing in the Senate Judiciary Committee alongside executives from Neiman Marcus, Target, and top government regulators. A third hearing, in the Energy and Commerce subcommittee on Commerce, Manufacturing and Trade, is set for Wednesday.

Bob Russo, general manager with the PCI Security Standards Council, which sets global standards for the industry, will also testify at Wednesday's hearing. 

He told The Hill that he wanted to make sure lawmakers understood that data security is about “people, process and technology, not just technology.”