The Regulation Big Business Is Begging For

Why retailers are desperate for a ham-fisted, one-size-fits-all data-breach mandate.

A shopping cart is seen in a Target store on December 19, 2013 in Miami, Florida. Target announced that about 40 million credit and debit card accounts of customers who made purchases by swiping their cards at terminals in its U.S. stores between November 27 and December 15 may have been stolen.
National Journal
Brendan Sasso
Add to Briefcase
See more stories about...
Brendan Sasso
Jan. 23, 2014, 2:35 p.m.

It’s the kind of top-down, one-size-fits-all, heavy-handed reg­u­la­tion that cor­por­ate Amer­ica des­pises. The ex­act type of man­date that busi­nesses pay lobby shops mil­lions to tweak and twist in­to ob­li­vi­on. Ex­cept this time, Amer­ica’s big-box stores are beg­ging Con­gress to boss them around.

Reel­ing from high-pro­file pri­vacy fumbles at Tar­get and Nei­man Mar­cus, re­tail­ers are ask­ing Con­gress to re­quire them to no­ti­fy cus­tom­ers when shop­pers’ in­form­a­tion has been put at risk.

Cur­rently, when firms spill data, they’re sub­ject to a patch­work of state rules: 46 states, plus the Dis­trict of Columbia, have their own pri­vacy-breach no­ti­fic­a­tion laws. For a com­pany like Tar­get, which has stores in every state save Ver­mont, that means a massive com­pli­ance struggle.

Back­ers of a uni­fied stand­ard say a fed­er­al re­quire­ment would not only make com­pan­ies’ lives easi­er but would also help firms serve their cus­tom­ers bet­ter by giv­ing busi­nesses a quick and com­pre­hens­ive way to ad­dress hacks. And with tens of mil­lions of Tar­get and Nei­man Mar­cus cus­tom­ers won­der­ing if their cred­it cards are about to be used for someone else’s shop­ping spree, the is­sue has new mo­mentum in an oth­er­wise grid­locked Con­gress.

Rep. Lee Terry, the chair­man of the House Com­merce, Man­u­fac­tur­ing, and Trade Sub­com­mit­tee, has planned a data-se­cur­ity hear­ing, fea­tur­ing testi­mony from a Tar­get ex­ec­ut­ive, for the first week of Feb­ru­ary.

Sen­ate Ju­di­ciary Com­mit­tee Chair­man Patrick Leahy in­tro­duced a data-breach bill earli­er this month, with the sup­port of fel­low Demo­crat­ic Sens. Chuck Schu­mer, Al Franken, and Richard Blu­menth­al. Leahy, who has pushed sim­il­ar le­gis­la­tion since 2005, said he also plans to hold a hear­ing on the is­sue.

But even with ma­jor re­tail­ers and busi­ness as­so­ci­ations call­ing for a na­tion­al stand­ard, the le­gis­la­tion’s sup­port­ers have struggled to con­vince some Re­pub­lic­ans that the bill isn’t just an­oth­er nanny-state in­tru­sion in­to com­pan­ies’ private af­fairs.

In­deed, edu­cat­ing con­ser­vat­ives is a big part of the ef­fort, said Mary Bono, a former House Re­pub­lic­an from Cali­for­nia turned data-se­cur­ity ad­viser for Fae­greBD Con­sult­ing.

“This is not an an­ti­busi­ness move — this is ac­tu­ally pro-busi­ness. It’s sort of coun­ter­in­tu­it­ive,” she said.

Demo­crats have their qualms as well: They worry that a weak fed­er­al stand­ard would pree­mpt tough­er state pro­tec­tions. And they want any na­tion­al law to cov­er geo-loc­a­tion data, emails, and oth­er per­son­al re­cords, not just fin­an­cial in­form­a­tion.

Those im­pulses, coupled with Con­gress’s gen­er­ally con­stip­ated le­gis­lat­ive pro­cess, may be why Bono was un­able to gain much trac­tion when she pushed a data-breach bill dur­ing her fi­nal term be­fore los­ing her seat in 2012.

Her bill cleared the Com­merce, Man­u­fac­tur­ing, and Trade Sub­com­mit­tee in 2011, when Bono was chair­wo­man, but it nev­er re­ceived a vote in the full En­ergy and Com­merce Com­mit­tee. Bono said En­ergy and Com­merce Chair­man Fred Up­ton was sup­port­ive, but the is­sue was nev­er a high enough pri­or­ity to make it onto the pan­el’s cal­en­dar.

And while out­rage over the Tar­get breach has brought more ur­gency to the is­sue, it has also high­lighted some stick­ing points. For ex­ample, Demo­crats and con­sumer ad­voc­ates want to go bey­ond en­sur­ing that con­sumers are in­formed when their pri­vacy has been com­prom­ised; they want to pun­ish com­pan­ies that fail to pro­tect their cus­tom­ers’ data.

The Fed­er­al Trade Com­mis­sion has claimed that it already has the power to go after com­pan­ies for in­ad­equate data se­cur­ity un­der its au­thor­ity to po­lice “un­fair” busi­ness prac­tices. But the Wyndham Hotel chain and the med­ic­al labor­at­ory Lab­MD have chal­lenged the FTC’s ac­tions against them, and the fed­er­al courts could de­cide to strip the FTC of its power in the area.

Many Demo­crats want any data-breach bill to ex­pli­citly grant the FTC the au­thor­ity to fine com­pan­ies that don’t take reas­on­able steps to pro­tect their data. The law wouldn’t have to dic­tate spe­cif­ic se­cur­ity prac­tices, but com­pan­ies that reck­lessly put their cus­tom­ers’ sens­it­ive in­form­a­tion at risk should pay a price, they ar­gue. Right now it is ex­pens­ive for busi­nesses that get hacked to com­ply with  the vari­ous state no­ti­fic­a­tion rules — and that’s a good thing, con­sumer ad­voc­ates say.

“One of the most im­port­ant ele­ments of a data-breach re­quire­ment is that it’s pain­ful,” said Justin Brook­man, the dir­ect­or of con­sumer pri­vacy at the Cen­ter for Demo­cracy and Tech­no­logy. “If all fed­er­al data-breach le­gis­la­tion did was to make it easi­er to have a data-breach event, I’m not sure that would be a great out­come for con­sumers.”

Leahy’s bill in­cludes new data-se­cur­ity re­quire­ments, but a GOP aide for the House En­ergy and Com­merce Com­mit­tee said the pan­el is fo­cused only on the no­ti­fic­a­tion is­sue.

And even as the in­dustry pushes Con­gress for reg­u­la­tion, it is warn­ing law­makers not to go too far. Many busi­nesses say they would balk at ex­pand­ing the fed­er­al gov­ern­ment’s power to meddle in their se­cur­ity prac­tices. It’s in their own in­terest to safe­guard their data, they ar­gue; they don’t need gov­ern­ment bur­eau­crats telling them what kind of pass­words to use.

They just need Wash­ing­ton to tell them what to do when those pass­words get hacked.

What We're Following See More »
TIME TO SPLIT
House Passes CR, Sends Bill to President’s Desk
8 hours ago
THE LATEST
CAN’T NAME ONE WORLD LEADER
Gary Johnson Stumbles Again
9 hours ago
WHY WE CARE
GOES TO PRESIDENT
Senate Approves Bill to Preserve Rape Kits
9 hours ago
THE LATEST

"The Senate on Wednesday approved legislation ensuring sexual assault survivors in federal criminal cases have access to forensic evidence collection kits, sending the bill to President Obama's desk. The legislation, known as the Survivors’ Bill of Rights Act, was passed by unanimous consent as lawmakers prepare to leave Washington until after the election. The House passed the measure earlier this month."

Source:
2-MONTH GIG OR 8-YEAR GIG?
Alec Baldwin to Play Trump on ‘SNL’
11 hours ago
THE DETAILS
FOUR-POINT LEAD IN FOUR-WAY RACE
Reuters/Ipsos Shows Clinton Ahead by 6
13 hours ago
THE LATEST

In one of the first polls released since Monday night's debate, a Reuters/Ipsos survey shows Hillary Clinton leading Donald Trump 44%-38%. When third-party candidates are thrown into the mix, Clinton's share of the vote drops to 42%, with Gary Johnson picking up 7% and Jill Stein at 2%.

Source:
×