The Regulation Big Business Is Begging For

Why retailers are desperate for a ham-fisted, one-size-fits-all data-breach mandate.

A shopping cart is seen in a Target store on December 19, 2013 in Miami, Florida. Target announced that about 40 million credit and debit card accounts of customers who made purchases by swiping their cards at terminals in its U.S. stores between November 27 and December 15 may have been stolen.
National Journal
Brendan Sasso
Add to Briefcase
See more stories about...
Brendan Sasso
Jan. 23, 2014, 2:35 p.m.

It’s the kind of top-down, one-size-fits-all, heavy-handed reg­u­la­tion that cor­por­ate Amer­ica des­pises. The ex­act type of man­date that busi­nesses pay lobby shops mil­lions to tweak and twist in­to ob­li­vi­on. Ex­cept this time, Amer­ica’s big-box stores are beg­ging Con­gress to boss them around.

Reel­ing from high-pro­file pri­vacy fumbles at Tar­get and Nei­man Mar­cus, re­tail­ers are ask­ing Con­gress to re­quire them to no­ti­fy cus­tom­ers when shop­pers’ in­form­a­tion has been put at risk.

Cur­rently, when firms spill data, they’re sub­ject to a patch­work of state rules: 46 states, plus the Dis­trict of Columbia, have their own pri­vacy-breach no­ti­fic­a­tion laws. For a com­pany like Tar­get, which has stores in every state save Ver­mont, that means a massive com­pli­ance struggle.

Back­ers of a uni­fied stand­ard say a fed­er­al re­quire­ment would not only make com­pan­ies’ lives easi­er but would also help firms serve their cus­tom­ers bet­ter by giv­ing busi­nesses a quick and com­pre­hens­ive way to ad­dress hacks. And with tens of mil­lions of Tar­get and Nei­man Mar­cus cus­tom­ers won­der­ing if their cred­it cards are about to be used for someone else’s shop­ping spree, the is­sue has new mo­mentum in an oth­er­wise grid­locked Con­gress.

Rep. Lee Terry, the chair­man of the House Com­merce, Man­u­fac­tur­ing, and Trade Sub­com­mit­tee, has planned a data-se­cur­ity hear­ing, fea­tur­ing testi­mony from a Tar­get ex­ec­ut­ive, for the first week of Feb­ru­ary.

Sen­ate Ju­di­ciary Com­mit­tee Chair­man Patrick Leahy in­tro­duced a data-breach bill earli­er this month, with the sup­port of fel­low Demo­crat­ic Sens. Chuck Schu­mer, Al Franken, and Richard Blu­menth­al. Leahy, who has pushed sim­il­ar le­gis­la­tion since 2005, said he also plans to hold a hear­ing on the is­sue.

But even with ma­jor re­tail­ers and busi­ness as­so­ci­ations call­ing for a na­tion­al stand­ard, the le­gis­la­tion’s sup­port­ers have struggled to con­vince some Re­pub­lic­ans that the bill isn’t just an­oth­er nanny-state in­tru­sion in­to com­pan­ies’ private af­fairs.

In­deed, edu­cat­ing con­ser­vat­ives is a big part of the ef­fort, said Mary Bono, a former House Re­pub­lic­an from Cali­for­nia turned data-se­cur­ity ad­viser for Fae­greBD Con­sult­ing.

“This is not an an­ti­busi­ness move — this is ac­tu­ally pro-busi­ness. It’s sort of coun­ter­in­tu­it­ive,” she said.

Demo­crats have their qualms as well: They worry that a weak fed­er­al stand­ard would pree­mpt tough­er state pro­tec­tions. And they want any na­tion­al law to cov­er geo-loc­a­tion data, emails, and oth­er per­son­al re­cords, not just fin­an­cial in­form­a­tion.

Those im­pulses, coupled with Con­gress’s gen­er­ally con­stip­ated le­gis­lat­ive pro­cess, may be why Bono was un­able to gain much trac­tion when she pushed a data-breach bill dur­ing her fi­nal term be­fore los­ing her seat in 2012.

Her bill cleared the Com­merce, Man­u­fac­tur­ing, and Trade Sub­com­mit­tee in 2011, when Bono was chair­wo­man, but it nev­er re­ceived a vote in the full En­ergy and Com­merce Com­mit­tee. Bono said En­ergy and Com­merce Chair­man Fred Up­ton was sup­port­ive, but the is­sue was nev­er a high enough pri­or­ity to make it onto the pan­el’s cal­en­dar.

And while out­rage over the Tar­get breach has brought more ur­gency to the is­sue, it has also high­lighted some stick­ing points. For ex­ample, Demo­crats and con­sumer ad­voc­ates want to go bey­ond en­sur­ing that con­sumers are in­formed when their pri­vacy has been com­prom­ised; they want to pun­ish com­pan­ies that fail to pro­tect their cus­tom­ers’ data.

The Fed­er­al Trade Com­mis­sion has claimed that it already has the power to go after com­pan­ies for in­ad­equate data se­cur­ity un­der its au­thor­ity to po­lice “un­fair” busi­ness prac­tices. But the Wyndham Hotel chain and the med­ic­al labor­at­ory Lab­MD have chal­lenged the FTC’s ac­tions against them, and the fed­er­al courts could de­cide to strip the FTC of its power in the area.

Many Demo­crats want any data-breach bill to ex­pli­citly grant the FTC the au­thor­ity to fine com­pan­ies that don’t take reas­on­able steps to pro­tect their data. The law wouldn’t have to dic­tate spe­cif­ic se­cur­ity prac­tices, but com­pan­ies that reck­lessly put their cus­tom­ers’ sens­it­ive in­form­a­tion at risk should pay a price, they ar­gue. Right now it is ex­pens­ive for busi­nesses that get hacked to com­ply with  the vari­ous state no­ti­fic­a­tion rules — and that’s a good thing, con­sumer ad­voc­ates say.

“One of the most im­port­ant ele­ments of a data-breach re­quire­ment is that it’s pain­ful,” said Justin Brook­man, the dir­ect­or of con­sumer pri­vacy at the Cen­ter for Demo­cracy and Tech­no­logy. “If all fed­er­al data-breach le­gis­la­tion did was to make it easi­er to have a data-breach event, I’m not sure that would be a great out­come for con­sumers.”

Leahy’s bill in­cludes new data-se­cur­ity re­quire­ments, but a GOP aide for the House En­ergy and Com­merce Com­mit­tee said the pan­el is fo­cused only on the no­ti­fic­a­tion is­sue.

And even as the in­dustry pushes Con­gress for reg­u­la­tion, it is warn­ing law­makers not to go too far. Many busi­nesses say they would balk at ex­pand­ing the fed­er­al gov­ern­ment’s power to meddle in their se­cur­ity prac­tices. It’s in their own in­terest to safe­guard their data, they ar­gue; they don’t need gov­ern­ment bur­eau­crats telling them what kind of pass­words to use.

They just need Wash­ing­ton to tell them what to do when those pass­words get hacked.

What We're Following See More »
FCC Tightens Internet Privacy Standards
11 hours ago

Along party lines, the Federal Communications Commission on Thursday voted to tighten privacy standards for Internet service providers. "The regulations will require providers to receive explicit customer consent before using an individual’s web browsing or app usage history for marketing purposes. The broadband industry fought to keep that obligation out of the rules."

Obama Commutes Another 98 Sentences
11 hours ago

President Obama commuted the sentences of another 98 drug offenders on Thursday. Most of the convicts were charged with conspiracy to distribute drugs or possession with intent to distribute. Many of the sentences were commuted to expire next year, but some will run longer. Others are required to enroll in residential drug treatment as a condition of their release.

Clinton Up 9 in USA Today Poll; Up 3 According to Fox
16 hours ago

A new USA Today/Suffolk University poll finds Clinton leads Trump by 9 points nationwide, 47% to 38%. A Fox News national poll has Clinton up just three points, 44% to 41% over Trump.

Cruz: Eight Justices Could Be an Ongoing Situation
18 hours ago

Sen. Ted Cruz (R-TX) said that "there was “precedent” for a Supreme Court with fewer than nine justices—appearing to suggest that the blockade on nominee Merrick Garland could last past the election." Speaking to reporters in Colorado, Cruz said: "I would note, just recently, that Justice Breyer observed that the vacancy is not impacting the ability of the court to do its job. That’s a debate that we are going to have.”

DNC Sues RNC Over Trump’s Rigged Vote Comments
21 hours ago

The Democratic National Committee sued the Republican National Committee in U.S. District Court in New Jersey for aiding GOP nominee Donald Trump as he argues that the presidential election is "rigged." The DNC claims "that Trump's argument is designed to suppress the vote in minority communities."


Welcome to National Journal!

You are currently accessing National Journal from IP access. Please login to access this feature. If you have any questions, please contact your Dedicated Advisor.