The Regulation Big Business Is Begging For

Why retailers are desperate for a ham-fisted, one-size-fits-all data-breach mandate.

A shopping cart is seen in a Target store on December 19, 2013 in Miami, Florida. Target announced that about 40 million credit and debit card accounts of customers who made purchases by swiping their cards at terminals in its U.S. stores between November 27 and December 15 may have been stolen.
National Journal
Brendan Sasso
Jan. 23, 2014, 2:35 p.m.

It’s the kind of top-down, one-size-fits-all, heavy-handed reg­u­la­tion that cor­por­ate Amer­ica des­pises. The ex­act type of man­date that busi­nesses pay lobby shops mil­lions to tweak and twist in­to ob­li­vi­on. Ex­cept this time, Amer­ica’s big-box stores are beg­ging Con­gress to boss them around.

Reel­ing from high-pro­file pri­vacy fumbles at Tar­get and Nei­man Mar­cus, re­tail­ers are ask­ing Con­gress to re­quire them to no­ti­fy cus­tom­ers when shop­pers’ in­form­a­tion has been put at risk.

Cur­rently, when firms spill data, they’re sub­ject to a patch­work of state rules: 46 states, plus the Dis­trict of Columbia, have their own pri­vacy-breach no­ti­fic­a­tion laws. For a com­pany like Tar­get, which has stores in every state save Ver­mont, that means a massive com­pli­ance struggle.

Back­ers of a uni­fied stand­ard say a fed­er­al re­quire­ment would not only make com­pan­ies’ lives easi­er but would also help firms serve their cus­tom­ers bet­ter by giv­ing busi­nesses a quick and com­pre­hens­ive way to ad­dress hacks. And with tens of mil­lions of Tar­get and Nei­man Mar­cus cus­tom­ers won­der­ing if their cred­it cards are about to be used for someone else’s shop­ping spree, the is­sue has new mo­mentum in an oth­er­wise grid­locked Con­gress.

Rep. Lee Terry, the chair­man of the House Com­merce, Man­u­fac­tur­ing, and Trade Sub­com­mit­tee, has planned a data-se­cur­ity hear­ing, fea­tur­ing testi­mony from a Tar­get ex­ec­ut­ive, for the first week of Feb­ru­ary.

Sen­ate Ju­di­ciary Com­mit­tee Chair­man Patrick Leahy in­tro­duced a data-breach bill earli­er this month, with the sup­port of fel­low Demo­crat­ic Sens. Chuck Schu­mer, Al Franken, and Richard Blu­menth­al. Leahy, who has pushed sim­il­ar le­gis­la­tion since 2005, said he also plans to hold a hear­ing on the is­sue.

But even with ma­jor re­tail­ers and busi­ness as­so­ci­ations call­ing for a na­tion­al stand­ard, the le­gis­la­tion’s sup­port­ers have struggled to con­vince some Re­pub­lic­ans that the bill isn’t just an­oth­er nanny-state in­tru­sion in­to com­pan­ies’ private af­fairs.

In­deed, edu­cat­ing con­ser­vat­ives is a big part of the ef­fort, said Mary Bono, a former House Re­pub­lic­an from Cali­for­nia turned data-se­cur­ity ad­viser for Fae­greBD Con­sult­ing.

“This is not an an­ti­busi­ness move — this is ac­tu­ally pro-busi­ness. It’s sort of coun­ter­in­tu­it­ive,” she said.

Demo­crats have their qualms as well: They worry that a weak fed­er­al stand­ard would pree­mpt tough­er state pro­tec­tions. And they want any na­tion­al law to cov­er geo-loc­a­tion data, emails, and oth­er per­son­al re­cords, not just fin­an­cial in­form­a­tion.

Those im­pulses, coupled with Con­gress’s gen­er­ally con­stip­ated le­gis­lat­ive pro­cess, may be why Bono was un­able to gain much trac­tion when she pushed a data-breach bill dur­ing her fi­nal term be­fore los­ing her seat in 2012.

Her bill cleared the Com­merce, Man­u­fac­tur­ing, and Trade Sub­com­mit­tee in 2011, when Bono was chair­wo­man, but it nev­er re­ceived a vote in the full En­ergy and Com­merce Com­mit­tee. Bono said En­ergy and Com­merce Chair­man Fred Up­ton was sup­port­ive, but the is­sue was nev­er a high enough pri­or­ity to make it onto the pan­el’s cal­en­dar.

And while out­rage over the Tar­get breach has brought more ur­gency to the is­sue, it has also high­lighted some stick­ing points. For ex­ample, Demo­crats and con­sumer ad­voc­ates want to go bey­ond en­sur­ing that con­sumers are in­formed when their pri­vacy has been com­prom­ised; they want to pun­ish com­pan­ies that fail to pro­tect their cus­tom­ers’ data.

The Fed­er­al Trade Com­mis­sion has claimed that it already has the power to go after com­pan­ies for in­ad­equate data se­cur­ity un­der its au­thor­ity to po­lice “un­fair” busi­ness prac­tices. But the Wyndham Hotel chain and the med­ic­al labor­at­ory Lab­MD have chal­lenged the FTC’s ac­tions against them, and the fed­er­al courts could de­cide to strip the FTC of its power in the area.

Many Demo­crats want any data-breach bill to ex­pli­citly grant the FTC the au­thor­ity to fine com­pan­ies that don’t take reas­on­able steps to pro­tect their data. The law wouldn’t have to dic­tate spe­cif­ic se­cur­ity prac­tices, but com­pan­ies that reck­lessly put their cus­tom­ers’ sens­it­ive in­form­a­tion at risk should pay a price, they ar­gue. Right now it is ex­pens­ive for busi­nesses that get hacked to com­ply with  the vari­ous state no­ti­fic­a­tion rules — and that’s a good thing, con­sumer ad­voc­ates say.

“One of the most im­port­ant ele­ments of a data-breach re­quire­ment is that it’s pain­ful,” said Justin Brook­man, the dir­ect­or of con­sumer pri­vacy at the Cen­ter for Demo­cracy and Tech­no­logy. “If all fed­er­al data-breach le­gis­la­tion did was to make it easi­er to have a data-breach event, I’m not sure that would be a great out­come for con­sumers.”

Leahy’s bill in­cludes new data-se­cur­ity re­quire­ments, but a GOP aide for the House En­ergy and Com­merce Com­mit­tee said the pan­el is fo­cused only on the no­ti­fic­a­tion is­sue.

And even as the in­dustry pushes Con­gress for reg­u­la­tion, it is warn­ing law­makers not to go too far. Many busi­nesses say they would balk at ex­pand­ing the fed­er­al gov­ern­ment’s power to meddle in their se­cur­ity prac­tices. It’s in their own in­terest to safe­guard their data, they ar­gue; they don’t need gov­ern­ment bur­eau­crats telling them what kind of pass­words to use.

They just need Wash­ing­ton to tell them what to do when those pass­words get hacked.

What We're Following See More »
‘PRESUMPTIVE NOMINEE’
Priebus Asks Party to Unite Behind Trump
3 hours ago
THE LATEST
FEELING THE MIDWESTERN BERN
Sanders Upsets Clinton in Indiana
4 hours ago
THE LATEST

Despite trailing Hillary Clinton by a significant margin, Bernie Sanders wasn't going the way of Ted Cruz tonight. The Vermont senator upset Clinton in Indiana, with MSNBC calling the race at 9pm. Sanders appears poised to win by a five- or six-point spread.

Source:
TRUMP IS PRESUMPTIVE NOMINEE
Ted Cruz Bows Out, Effectively Ceding the Contest to Trump
5 hours ago
THE LATEST

And just like that, it's over. Ted Cruz will suspend his presidential campaign after losing badly to Donald Trump in Indiana tonight. "While Cruz had always hedged when asked whether he would quit if he lost Indiana; his campaign had laid a huge bet on the state." John Kasich's campaign has pledged to carry on. “From the beginning, I’ve said that I would continue on as long as there was a viable path to victory,” said Cruz. “Tonight, I’m sorry to say it appears that path has been foreclosed."

Source:
TAKES AT LEAST 45 DELEGATES
Trump Wins Indiana, All but Seals the Nomination
5 hours ago
THE LATEST

The Republican establishment's last remaining hope—a contested convention this summer—may have just ended in Indiana, as Donald Trump won a decisive victory over Ted Cruz. Nothing Cruz seemed to have in his corner seemed to help—not a presumptive VP pick in Carly Fiorina, not a midwestern state where he's done well in the past, and not the state's legions of conservatives. Though Trump "won't secure the 1,237 delegates he needs to formally claim the nomination until June, his Indiana triumph makes it almost impossible to stop him. Following his decisive wins in New York and other East Coast states, the Indiana victory could put Trump within 200 delegates of the magic number he needs to clinch the nomination." Cruz, meanwhile, "now faces the agonizing choice of whether to remain in the race, with his attempt to force the party into a contested convention in tatters, or to bow out and cede the party nomination to his political nemesis." The Associated Press, which called the race at 7pm, predicts Trump will win at least 45 delegates.

Source:
LOTS OF STRINGERS
Inside the AP’s Election Operation
10 hours ago
WHY WE CARE
×