It’s the kind of top-down, one-size-fits-all, heavy-handed regulation that corporate America despises. The exact type of mandate that businesses pay lobby shops millions to tweak and twist into oblivion. Except this time, America’s big-box stores are begging Congress to boss them around.
Reeling from high-profile privacy fumbles at Target and Neiman Marcus, retailers are asking Congress to require them to notify customers when shoppers’ information has been put at risk.
Currently, when firms spill data, they’re subject to a patchwork of state rules: 46 states, plus the District of Columbia, have their own privacy-breach notification laws. For a company like Target, which has stores in every state save Vermont, that means a massive compliance struggle.
Backers of a unified standard say a federal requirement would not only make companies’ lives easier but would also help firms serve their customers better by giving businesses a quick and comprehensive way to address hacks. And with tens of millions of Target and Neiman Marcus customers wondering if their credit cards are about to be used for someone else’s shopping spree, the issue has new momentum in an otherwise gridlocked Congress.
Rep. Lee Terry, the chairman of the House Commerce, Manufacturing, and Trade Subcommittee, has planned a data-security hearing, featuring testimony from a Target executive, for the first week of February.
Senate Judiciary Committee Chairman Patrick Leahy introduced a data-breach bill earlier this month, with the support of fellow Democratic Sens. Chuck Schumer, Al Franken, and Richard Blumenthal. Leahy, who has pushed similar legislation since 2005, said he also plans to hold a hearing on the issue.
But even with major retailers and business associations calling for a national standard, the legislation’s supporters have struggled to convince some Republicans that the bill isn’t just another nanny-state intrusion into companies’ private affairs.
Indeed, educating conservatives is a big part of the effort, said Mary Bono, a former House Republican from California turned data-security adviser for FaegreBD Consulting.
“This is not an antibusiness move — this is actually pro-business. It’s sort of counterintuitive,” she said.
Democrats have their qualms as well: They worry that a weak federal standard would preempt tougher state protections. And they want any national law to cover geo-location data, emails, and other personal records, not just financial information.
Those impulses, coupled with Congress’s generally constipated legislative process, may be why Bono was unable to gain much traction when she pushed a data-breach bill during her final term before losing her seat in 2012.
Her bill cleared the Commerce, Manufacturing, and Trade Subcommittee in 2011, when Bono was chairwoman, but it never received a vote in the full Energy and Commerce Committee. Bono said Energy and Commerce Chairman Fred Upton was supportive, but the issue was never a high enough priority to make it onto the panel’s calendar.
And while outrage over the Target breach has brought more urgency to the issue, it has also highlighted some sticking points. For example, Democrats and consumer advocates want to go beyond ensuring that consumers are informed when their privacy has been compromised; they want to punish companies that fail to protect their customers’ data.
The Federal Trade Commission has claimed that it already has the power to go after companies for inadequate data security under its authority to police “unfair” business practices. But the Wyndham Hotel chain and the medical laboratory LabMD have challenged the FTC’s actions against them, and the federal courts could decide to strip the FTC of its power in the area.
Many Democrats want any data-breach bill to explicitly grant the FTC the authority to fine companies that don’t take reasonable steps to protect their data. The law wouldn’t have to dictate specific security practices, but companies that recklessly put their customers’ sensitive information at risk should pay a price, they argue. Right now it is expensive for businesses that get hacked to comply with the various state notification rules — and that’s a good thing, consumer advocates say.
“One of the most important elements of a data-breach requirement is that it’s painful,” said Justin Brookman, the director of consumer privacy at the Center for Democracy and Technology. “If all federal data-breach legislation did was to make it easier to have a data-breach event, I’m not sure that would be a great outcome for consumers.”
Leahy’s bill includes new data-security requirements, but a GOP aide for the House Energy and Commerce Committee said the panel is focused only on the notification issue.
And even as the industry pushes Congress for regulation, it is warning lawmakers not to go too far. Many businesses say they would balk at expanding the federal government’s power to meddle in their security practices. It’s in their own interest to safeguard their data, they argue; they don’t need government bureaucrats telling them what kind of passwords to use.
They just need Washington to tell them what to do when those passwords get hacked.
What We're Following See More »
"The U.S. Air Force is preparing to put nuclear-armed bombers back on 24-hour ready alert, a status not seen since the Cold War ended in 1991...Putting the B-52s back on alert is just one of many decisions facing the Air Force as the U.S. military responds to a changing geopolitical environment that includes North Korea’s rapidly advancing nuclear arsenal, President Trump’s confrontational approach to Pyongyang, and Russia’s increasingly potent and active armed forces."
"Senate Democrats on Thursday failed in their first attempt to save the state and local tax deduction, which helps many residents of California and other high-cost states reduce their federal income tax bills. The Republican-controlled Senate voted 52-47 to reject an amendment that would have prevented the Senate from considering any bill that repeals or limits the deduction as part of a planned tax overhaul."
"President Donald Trump's former campaign manager Corey Lewandowski appeared on Capitol Hill for a closed-door interview with the Senate intelligence committee Wednesday, according to a source familiar with the matter. Lewandowski is the latest senior official in Trump's orbit who has met with the committee as part of its investigation into Russian election meddling and possible collusion with the Trump campaign."
"A growing number of key Republicans are sending this message to the leaders of the congressional committees investigating potential Trump campaign collusion with the Russians: Wrap it up soon. In the House and Senate, several Republicans who sit on key committees are starting to grumble that the investigations have spanned the better part of the past nine months, contending that the Democratic push to extend the investigation well into next year could amount to a fishing expedition."