The Regulation Big Business Is Begging For

Why retailers are desperate for a ham-fisted, one-size-fits-all data-breach mandate.

A shopping cart is seen in a Target store on December 19, 2013 in Miami, Florida. Target announced that about 40 million credit and debit card accounts of customers who made purchases by swiping their cards at terminals in its U.S. stores between November 27 and December 15 may have been stolen.
National Journal
Brendan Sasso
Add to Briefcase
See more stories about...
Brendan Sasso
Jan. 23, 2014, 2:35 p.m.

It’s the kind of top-down, one-size-fits-all, heavy-handed reg­u­la­tion that cor­por­ate Amer­ica des­pises. The ex­act type of man­date that busi­nesses pay lobby shops mil­lions to tweak and twist in­to ob­li­vi­on. Ex­cept this time, Amer­ica’s big-box stores are beg­ging Con­gress to boss them around.

Reel­ing from high-pro­file pri­vacy fumbles at Tar­get and Nei­man Mar­cus, re­tail­ers are ask­ing Con­gress to re­quire them to no­ti­fy cus­tom­ers when shop­pers’ in­form­a­tion has been put at risk.

Cur­rently, when firms spill data, they’re sub­ject to a patch­work of state rules: 46 states, plus the Dis­trict of Columbia, have their own pri­vacy-breach no­ti­fic­a­tion laws. For a com­pany like Tar­get, which has stores in every state save Ver­mont, that means a massive com­pli­ance struggle.

Back­ers of a uni­fied stand­ard say a fed­er­al re­quire­ment would not only make com­pan­ies’ lives easi­er but would also help firms serve their cus­tom­ers bet­ter by giv­ing busi­nesses a quick and com­pre­hens­ive way to ad­dress hacks. And with tens of mil­lions of Tar­get and Nei­man Mar­cus cus­tom­ers won­der­ing if their cred­it cards are about to be used for someone else’s shop­ping spree, the is­sue has new mo­mentum in an oth­er­wise grid­locked Con­gress.

Rep. Lee Terry, the chair­man of the House Com­merce, Man­u­fac­tur­ing, and Trade Sub­com­mit­tee, has planned a data-se­cur­ity hear­ing, fea­tur­ing testi­mony from a Tar­get ex­ec­ut­ive, for the first week of Feb­ru­ary.

Sen­ate Ju­di­ciary Com­mit­tee Chair­man Patrick Leahy in­tro­duced a data-breach bill earli­er this month, with the sup­port of fel­low Demo­crat­ic Sens. Chuck Schu­mer, Al Franken, and Richard Blu­menth­al. Leahy, who has pushed sim­il­ar le­gis­la­tion since 2005, said he also plans to hold a hear­ing on the is­sue.

But even with ma­jor re­tail­ers and busi­ness as­so­ci­ations call­ing for a na­tion­al stand­ard, the le­gis­la­tion’s sup­port­ers have struggled to con­vince some Re­pub­lic­ans that the bill isn’t just an­oth­er nanny-state in­tru­sion in­to com­pan­ies’ private af­fairs.

In­deed, edu­cat­ing con­ser­vat­ives is a big part of the ef­fort, said Mary Bono, a former House Re­pub­lic­an from Cali­for­nia turned data-se­cur­ity ad­viser for Fae­greBD Con­sult­ing.

“This is not an an­ti­busi­ness move — this is ac­tu­ally pro-busi­ness. It’s sort of coun­ter­in­tu­it­ive,” she said.

Demo­crats have their qualms as well: They worry that a weak fed­er­al stand­ard would pree­mpt tough­er state pro­tec­tions. And they want any na­tion­al law to cov­er geo-loc­a­tion data, emails, and oth­er per­son­al re­cords, not just fin­an­cial in­form­a­tion.

Those im­pulses, coupled with Con­gress’s gen­er­ally con­stip­ated le­gis­lat­ive pro­cess, may be why Bono was un­able to gain much trac­tion when she pushed a data-breach bill dur­ing her fi­nal term be­fore los­ing her seat in 2012.

Her bill cleared the Com­merce, Man­u­fac­tur­ing, and Trade Sub­com­mit­tee in 2011, when Bono was chair­wo­man, but it nev­er re­ceived a vote in the full En­ergy and Com­merce Com­mit­tee. Bono said En­ergy and Com­merce Chair­man Fred Up­ton was sup­port­ive, but the is­sue was nev­er a high enough pri­or­ity to make it onto the pan­el’s cal­en­dar.

And while out­rage over the Tar­get breach has brought more ur­gency to the is­sue, it has also high­lighted some stick­ing points. For ex­ample, Demo­crats and con­sumer ad­voc­ates want to go bey­ond en­sur­ing that con­sumers are in­formed when their pri­vacy has been com­prom­ised; they want to pun­ish com­pan­ies that fail to pro­tect their cus­tom­ers’ data.

The Fed­er­al Trade Com­mis­sion has claimed that it already has the power to go after com­pan­ies for in­ad­equate data se­cur­ity un­der its au­thor­ity to po­lice “un­fair” busi­ness prac­tices. But the Wyndham Hotel chain and the med­ic­al labor­at­ory Lab­MD have chal­lenged the FTC’s ac­tions against them, and the fed­er­al courts could de­cide to strip the FTC of its power in the area.

Many Demo­crats want any data-breach bill to ex­pli­citly grant the FTC the au­thor­ity to fine com­pan­ies that don’t take reas­on­able steps to pro­tect their data. The law wouldn’t have to dic­tate spe­cif­ic se­cur­ity prac­tices, but com­pan­ies that reck­lessly put their cus­tom­ers’ sens­it­ive in­form­a­tion at risk should pay a price, they ar­gue. Right now it is ex­pens­ive for busi­nesses that get hacked to com­ply with  the vari­ous state no­ti­fic­a­tion rules — and that’s a good thing, con­sumer ad­voc­ates say.

“One of the most im­port­ant ele­ments of a data-breach re­quire­ment is that it’s pain­ful,” said Justin Brook­man, the dir­ect­or of con­sumer pri­vacy at the Cen­ter for Demo­cracy and Tech­no­logy. “If all fed­er­al data-breach le­gis­la­tion did was to make it easi­er to have a data-breach event, I’m not sure that would be a great out­come for con­sumers.”

Leahy’s bill in­cludes new data-se­cur­ity re­quire­ments, but a GOP aide for the House En­ergy and Com­merce Com­mit­tee said the pan­el is fo­cused only on the no­ti­fic­a­tion is­sue.

And even as the in­dustry pushes Con­gress for reg­u­la­tion, it is warn­ing law­makers not to go too far. Many busi­nesses say they would balk at ex­pand­ing the fed­er­al gov­ern­ment’s power to meddle in their se­cur­ity prac­tices. It’s in their own in­terest to safe­guard their data, they ar­gue; they don’t need gov­ern­ment bur­eau­crats telling them what kind of pass­words to use.

They just need Wash­ing­ton to tell them what to do when those pass­words get hacked.

What We're Following See More »
SAYS HIS DEATH STEMMED FROM A FISTFIGHT
Saudis Admit Khashoggi Killed in Embassy
1 days ago
THE LATEST

"Saudi Arabia said Saturday that Jamal Khashoggi, the dissident Saudi journalist who disappeared more than two weeks ago, had died after an argument and fistfight with unidentified men inside the Saudi Consulate in Istanbul. Eighteen men have been arrested and are being investigated in the case, Saudi state-run media reported without identifying any of them. State media also reported that Maj. Gen. Ahmed al-Assiri, the deputy director of Saudi intelligence, and other high-ranking intelligence officials had been dismissed."

Source:
ROGER STONE IN THE CROSSHAIRS?
Mueller Looking into Ties Between WikiLeaks, Conservative Groups
1 days ago
THE LATEST

"Special counsel Robert Mueller’s investigation is scrutinizing how a collection of activists and pundits intersected with WikiLeaks, the website that U.S. officials say was the primary conduit for publishing materials stolen by Russia, according to people familiar with the matter. Mr. Mueller’s team has recently questioned witnesses about the activities of longtime Trump confidante Roger Stone, including his contacts with WikiLeaks, and has obtained telephone records, according to the people familiar with the matter."

Source:
PROBING COLLUSION AND OBSTRUCTION
Mueller To Release Key Findings After Midterms
1 days ago
THE LATEST

"Special Counsel Robert Mueller is expected to issue findings on core aspects of his Russia probe soon after the November midterm elections ... Specifically, Mueller is close to rendering judgment on two of the most explosive aspects of his inquiry: whether there were clear incidents of collusion between Russia and Donald Trump’s 2016 campaign, and whether the president took any actions that constitute obstruction of justice." Mueller has faced pressure to wrap up the investigation from Deputy Attorney General Rod Rosenstein, said an official, who would receive the results of the investigation and have "some discretion in deciding what is relayed to Congress and what is publicly released," if he remains at his post.

Source:
PASSED ON SO-CALLED "SAR" REPORTS
FinCen Official Charged with Leaking Info on Manafort, Gates
1 days ago
THE DETAILS
"A senior official working for the Treasury Department's Financial Crimes Enforcement Network (FinCEN) has been charged with leaking confidential financial reports on former Trump campaign advisers Paul Manafort, Richard Gates and others to a media outlet. Prosecutors say that Natalie Mayflower Sours Edwards, a senior adviser to FinCEN, photographed what are called suspicious activity reports, or SARs, and other sensitive government files and sent them to an unnamed reporter, in violation of U.S. law."
Source:
FIRST CHARGE FOR MIDTERMS
DOJ Charges Russian For Meddling In 2018 Midterms
1 days ago
THE LATEST

"The Justice Department on Friday charged a Russian woman for her alleged role in a conspiracy to interfere with the 2018 U.S. election, marking the first criminal case prosecutors have brought against a foreign national for interfering in the upcoming midterms. Elena Khusyaynova, 44, was charged with conspiracy to defraud the United States. Prosecutors said she managed the finances of 'Project Lakhta,' a foreign influence operation they said was designed 'to sow discord in the U.S. political system' by pushing arguments and misinformation online about a host of divisive political issues, including immigration, the Confederate flag, gun control and the National Football League national-anthem protests."

Source:
×
×

Welcome to National Journal!

You are currently accessing National Journal from IP access. Please login to access this feature. If you have any questions, please contact your Dedicated Advisor.

Login