The Regulation Big Business Is Begging For

Why retailers are desperate for a ham-fisted, one-size-fits-all data-breach mandate.

A shopping cart is seen in a Target store on December 19, 2013 in Miami, Florida. Target announced that about 40 million credit and debit card accounts of customers who made purchases by swiping their cards at terminals in its U.S. stores between November 27 and December 15 may have been stolen.
National Journal
Brendan Sasso
Jan. 23, 2014, 2:35 p.m.

It’s the kind of top-down, one-size-fits-all, heavy-handed reg­u­la­tion that cor­por­ate Amer­ica des­pises. The ex­act type of man­date that busi­nesses pay lobby shops mil­lions to tweak and twist in­to ob­li­vi­on. Ex­cept this time, Amer­ica’s big-box stores are beg­ging Con­gress to boss them around.

Reel­ing from high-pro­file pri­vacy fumbles at Tar­get and Nei­man Mar­cus, re­tail­ers are ask­ing Con­gress to re­quire them to no­ti­fy cus­tom­ers when shop­pers’ in­form­a­tion has been put at risk.

Cur­rently, when firms spill data, they’re sub­ject to a patch­work of state rules: 46 states, plus the Dis­trict of Columbia, have their own pri­vacy-breach no­ti­fic­a­tion laws. For a com­pany like Tar­get, which has stores in every state save Ver­mont, that means a massive com­pli­ance struggle.

Back­ers of a uni­fied stand­ard say a fed­er­al re­quire­ment would not only make com­pan­ies’ lives easi­er but would also help firms serve their cus­tom­ers bet­ter by giv­ing busi­nesses a quick and com­pre­hens­ive way to ad­dress hacks. And with tens of mil­lions of Tar­get and Nei­man Mar­cus cus­tom­ers won­der­ing if their cred­it cards are about to be used for someone else’s shop­ping spree, the is­sue has new mo­mentum in an oth­er­wise grid­locked Con­gress.

Rep. Lee Terry, the chair­man of the House Com­merce, Man­u­fac­tur­ing, and Trade Sub­com­mit­tee, has planned a data-se­cur­ity hear­ing, fea­tur­ing testi­mony from a Tar­get ex­ec­ut­ive, for the first week of Feb­ru­ary.

Sen­ate Ju­di­ciary Com­mit­tee Chair­man Patrick Leahy in­tro­duced a data-breach bill earli­er this month, with the sup­port of fel­low Demo­crat­ic Sens. Chuck Schu­mer, Al Franken, and Richard Blu­menth­al. Leahy, who has pushed sim­il­ar le­gis­la­tion since 2005, said he also plans to hold a hear­ing on the is­sue.

But even with ma­jor re­tail­ers and busi­ness as­so­ci­ations call­ing for a na­tion­al stand­ard, the le­gis­la­tion’s sup­port­ers have struggled to con­vince some Re­pub­lic­ans that the bill isn’t just an­oth­er nanny-state in­tru­sion in­to com­pan­ies’ private af­fairs.

In­deed, edu­cat­ing con­ser­vat­ives is a big part of the ef­fort, said Mary Bono, a former House Re­pub­lic­an from Cali­for­nia turned data-se­cur­ity ad­viser for Fae­greBD Con­sult­ing.

“This is not an an­ti­busi­ness move — this is ac­tu­ally pro-busi­ness. It’s sort of coun­ter­in­tu­it­ive,” she said.

Demo­crats have their qualms as well: They worry that a weak fed­er­al stand­ard would pree­mpt tough­er state pro­tec­tions. And they want any na­tion­al law to cov­er geo-loc­a­tion data, emails, and oth­er per­son­al re­cords, not just fin­an­cial in­form­a­tion.

Those im­pulses, coupled with Con­gress’s gen­er­ally con­stip­ated le­gis­lat­ive pro­cess, may be why Bono was un­able to gain much trac­tion when she pushed a data-breach bill dur­ing her fi­nal term be­fore los­ing her seat in 2012.

Her bill cleared the Com­merce, Man­u­fac­tur­ing, and Trade Sub­com­mit­tee in 2011, when Bono was chair­wo­man, but it nev­er re­ceived a vote in the full En­ergy and Com­merce Com­mit­tee. Bono said En­ergy and Com­merce Chair­man Fred Up­ton was sup­port­ive, but the is­sue was nev­er a high enough pri­or­ity to make it onto the pan­el’s cal­en­dar.

And while out­rage over the Tar­get breach has brought more ur­gency to the is­sue, it has also high­lighted some stick­ing points. For ex­ample, Demo­crats and con­sumer ad­voc­ates want to go bey­ond en­sur­ing that con­sumers are in­formed when their pri­vacy has been com­prom­ised; they want to pun­ish com­pan­ies that fail to pro­tect their cus­tom­ers’ data.

The Fed­er­al Trade Com­mis­sion has claimed that it already has the power to go after com­pan­ies for in­ad­equate data se­cur­ity un­der its au­thor­ity to po­lice “un­fair” busi­ness prac­tices. But the Wyndham Hotel chain and the med­ic­al labor­at­ory Lab­MD have chal­lenged the FTC’s ac­tions against them, and the fed­er­al courts could de­cide to strip the FTC of its power in the area.

Many Demo­crats want any data-breach bill to ex­pli­citly grant the FTC the au­thor­ity to fine com­pan­ies that don’t take reas­on­able steps to pro­tect their data. The law wouldn’t have to dic­tate spe­cif­ic se­cur­ity prac­tices, but com­pan­ies that reck­lessly put their cus­tom­ers’ sens­it­ive in­form­a­tion at risk should pay a price, they ar­gue. Right now it is ex­pens­ive for busi­nesses that get hacked to com­ply with  the vari­ous state no­ti­fic­a­tion rules — and that’s a good thing, con­sumer ad­voc­ates say.

“One of the most im­port­ant ele­ments of a data-breach re­quire­ment is that it’s pain­ful,” said Justin Brook­man, the dir­ect­or of con­sumer pri­vacy at the Cen­ter for Demo­cracy and Tech­no­logy. “If all fed­er­al data-breach le­gis­la­tion did was to make it easi­er to have a data-breach event, I’m not sure that would be a great out­come for con­sumers.”

Leahy’s bill in­cludes new data-se­cur­ity re­quire­ments, but a GOP aide for the House En­ergy and Com­merce Com­mit­tee said the pan­el is fo­cused only on the no­ti­fic­a­tion is­sue.

And even as the in­dustry pushes Con­gress for reg­u­la­tion, it is warn­ing law­makers not to go too far. Many busi­nesses say they would balk at ex­pand­ing the fed­er­al gov­ern­ment’s power to meddle in their se­cur­ity prac­tices. It’s in their own in­terest to safe­guard their data, they ar­gue; they don’t need gov­ern­ment bur­eau­crats telling them what kind of pass­words to use.

They just need Wash­ing­ton to tell them what to do when those pass­words get hacked.

What We're Following See More »
STAFF PICKS
These (Supposed) Iowa and NH Escorts Tell All
2 hours ago
NATIONAL JOURNAL AFTER DARK

Before we get to the specifics of this exposé about escorts working the Iowa and New Hampshire primary crowds, let’s get three things out of the way: 1.) It’s from Cosmopolitan; 2.) most of the women quoted use fake (if colorful) names; and 3.) again, it’s from Cosmopolitan. That said, here’s what we learned:

  • Business was booming: one escort who says she typically gets two inquiries a weekend got 15 requests in the pre-primary weekend.
  • Their primary season clientele is a bit older than normal—”40s through mid-60s, compared with mostly twentysomething regulars” and “they’ve clearly done this before.”
  • They seemed more nervous than other clients, because “the stakes are higher when you’re working for a possible future president” but “all practiced impeccable manners.”
  • One escort “typically enjoy[s] the company of Democrats more, just because I feel like our views line up a lot more.”
Source:
STATE VS. FEDERAL
Restoring Some Sanity to Encryption
2 hours ago
WHY WE CARE

No matter where you stand on mandating companies to include a backdoor in encryption technologies, it doesn’t make sense to allow that decision to be made on a state level. “The problem with state-level legislation of this nature is that it manages to be both wildly impractical and entirely unenforceable,” writes Brian Barrett at Wired. There is a solution to this problem. “California Congressman Ted Lieu has introduced the ‘Ensuring National Constitutional Rights for Your Private Telecommunications Act of 2016,’ which we’ll call ENCRYPT. It’s a short, straightforward bill with a simple aim: to preempt states from attempting to implement their own anti-encryption policies at a state level.”

Source:
STAFF PICKS
What the Current Crop of Candidates Could Learn from JFK
2 hours ago
WHY WE CARE

Much has been made of David Brooks’s recent New York Times column, in which confesses to missing already the civility and humanity of Barack Obama, compared to who might take his place. In NewYorker.com, Jeffrey Frank reminds us how critical such attributes are to foreign policy. “It’s hard to imagine Kennedy so casually referring to the leader of Russia as a gangster or a thug. For that matter, it’s hard to imagine any president comparing the Russian leader to Hitler [as] Hillary Clinton did at a private fund-raiser. … Kennedy, who always worried that miscalculation could lead to war, paid close attention to the language of diplomacy.”

Source:
STAFF PICKS
Hillary Is Running Against the Bill of 1992
2 hours ago
WHY WE CARE

The New Covenant. The Third Way. The Democratic Leadership Council style. Call it what you will, but whatever centrist triangulation Bill Clinton embraced in 1992, Hillary Clinton wants no part of it in 2016. Writing for Bloomberg, Sasha Issenberg and Margaret Talev explore how Hillary’s campaign has “diverged pointedly” from what made Bill so successful: “For Hillary to survive, Clintonism had to die.” Bill’s positions in 1992—from capital punishment to free trade—“represented a carefully calibrated diversion from the liberal orthodoxy of the previous decade.” But in New Hampshire, Hillary “worked to juggle nostalgia for past Clinton primary campaigns in the state with the fact that the Bill of 1992 or the Hillary of 2008 would likely be a marginal figure within today’s Democratic politics.”

Source:
STAFF PICKS
Trevor Noah Needs to Find His Voice. And Fast.
3 hours ago
WHY WE CARE

At first, “it was pleasant” to see Trevor Noah “smiling away and deeply dimpling in the Stewart seat, the seat that had lately grown gray hairs,” writes The Atlantic‘s James Parker in assessing the new host of the once-indispensable Daily Show. But where Jon Stewart was a heavyweight, Noah is “a very able lightweight, [who] needs time too. But he won’t get any. As a culture, we’re not about to nurture this talent, to give it room to grow. Our patience was exhausted long ago, by some other guy. We’re going to pass judgment and move on. There’s a reason Simon Cowell is so rich. Impress us today or get thee hence. So it comes to this: It’s now or never, Trevor.”

Source:
×