It’s the kind of top-down, one-size-fits-all, heavy-handed regulation that corporate America despises. The exact type of mandate that businesses pay lobby shops millions to tweak and twist into oblivion. Except this time, America’s big-box stores are begging Congress to boss them around.
Reeling from high-profile privacy fumbles at Target and Neiman Marcus, retailers are asking Congress to require them to notify customers when shoppers’ information has been put at risk.
Currently, when firms spill data, they’re subject to a patchwork of state rules: 46 states, plus the District of Columbia, have their own privacy-breach notification laws. For a company like Target, which has stores in every state save Vermont, that means a massive compliance struggle.
Backers of a unified standard say a federal requirement would not only make companies’ lives easier but would also help firms serve their customers better by giving businesses a quick and comprehensive way to address hacks. And with tens of millions of Target and Neiman Marcus customers wondering if their credit cards are about to be used for someone else’s shopping spree, the issue has new momentum in an otherwise gridlocked Congress.
Rep. Lee Terry, the chairman of the House Commerce, Manufacturing, and Trade Subcommittee, has planned a data-security hearing, featuring testimony from a Target executive, for the first week of February.
Senate Judiciary Committee Chairman Patrick Leahy introduced a data-breach bill earlier this month, with the support of fellow Democratic Sens. Chuck Schumer, Al Franken, and Richard Blumenthal. Leahy, who has pushed similar legislation since 2005, said he also plans to hold a hearing on the issue.
But even with major retailers and business associations calling for a national standard, the legislation’s supporters have struggled to convince some Republicans that the bill isn’t just another nanny-state intrusion into companies’ private affairs.
Indeed, educating conservatives is a big part of the effort, said Mary Bono, a former House Republican from California turned data-security adviser for FaegreBD Consulting.
“This is not an antibusiness move — this is actually pro-business. It’s sort of counterintuitive,” she said.
Democrats have their qualms as well: They worry that a weak federal standard would preempt tougher state protections. And they want any national law to cover geo-location data, emails, and other personal records, not just financial information.
Those impulses, coupled with Congress’s generally constipated legislative process, may be why Bono was unable to gain much traction when she pushed a data-breach bill during her final term before losing her seat in 2012.
Her bill cleared the Commerce, Manufacturing, and Trade Subcommittee in 2011, when Bono was chairwoman, but it never received a vote in the full Energy and Commerce Committee. Bono said Energy and Commerce Chairman Fred Upton was supportive, but the issue was never a high enough priority to make it onto the panel’s calendar.
And while outrage over the Target breach has brought more urgency to the issue, it has also highlighted some sticking points. For example, Democrats and consumer advocates want to go beyond ensuring that consumers are informed when their privacy has been compromised; they want to punish companies that fail to protect their customers’ data.
The Federal Trade Commission has claimed that it already has the power to go after companies for inadequate data security under its authority to police “unfair” business practices. But the Wyndham Hotel chain and the medical laboratory LabMD have challenged the FTC’s actions against them, and the federal courts could decide to strip the FTC of its power in the area.
Many Democrats want any data-breach bill to explicitly grant the FTC the authority to fine companies that don’t take reasonable steps to protect their data. The law wouldn’t have to dictate specific security practices, but companies that recklessly put their customers’ sensitive information at risk should pay a price, they argue. Right now it is expensive for businesses that get hacked to comply with the various state notification rules — and that’s a good thing, consumer advocates say.
“One of the most important elements of a data-breach requirement is that it’s painful,” said Justin Brookman, the director of consumer privacy at the Center for Democracy and Technology. “If all federal data-breach legislation did was to make it easier to have a data-breach event, I’m not sure that would be a great outcome for consumers.”
Leahy’s bill includes new data-security requirements, but a GOP aide for the House Energy and Commerce Committee said the panel is focused only on the notification issue.
And even as the industry pushes Congress for regulation, it is warning lawmakers not to go too far. Many businesses say they would balk at expanding the federal government’s power to meddle in their security practices. It’s in their own interest to safeguard their data, they argue; they don’t need government bureaucrats telling them what kind of passwords to use.
They just need Washington to tell them what to do when those passwords get hacked.
What We're Following See More »
The Democratic National Committee issued a formal apology to Bernie Sanders today, after leaked emails showed staffers trying to sabotage his presidential bid. "On behalf of everyone at the DNC, we want to offer a deep and sincere apology to Senator Sanders, his supporters, and the entire Democratic Party for the inexcusable remarks made over email," DNC officials said in the statement. "These comments do not reflect the values of the DNC or our steadfast commitment to neutrality during the nominating process. The DNC does not—and will not—tolerate disrespectful language exhibited toward our candidates."
The chairman of the DCCC said Debbie Wasserman Schultz won't be getting financial help from the organization this year, even as she faces a well-funded primary challenger. "Rep. Ben Ray Luján (D-NM) said the committee’s resources will be spent helping Democrats in tough races rather than those in seats that are strongholds for the party." Executive Director Kelly Ward added, “We never spend money in safe seats."
Debbie Wasserman Schultz has given up her last remaining duty at this week's convention. Now, she's told her hometown newspaper, the South Florida Sun-Sentinel, that she will not gavel in the convention today. Baltimore Mayor Stephanie Rawlings-Blake will do the honors instead. "I have decided that in the interest of making sure that we can start the Democratic convention on a high note that I am not going to gavel in the convention," Wasserman Schultz said.
Perhaps this talk of unity has been overstated. Addressing a room full of his supporters today, Bernie Sanders heard "sustained boos" when he said he said it was essential that we elect Hillary Clinton and Tim Kaine.
The FBI this morning issued a statement saying it is "investigating a cyber intrusion involving the DNC," adding that "a compromise of this nature is something we take very seriously." Meanwhile, Hillary Clinton's campaign is suggesting that the hack "was committed by Russia to benefit Donald Trump."