It’s the kind of top-down, one-size-fits-all, heavy-handed regulation that corporate America despises. The exact type of mandate that businesses pay lobby shops millions to tweak and twist into oblivion. Except this time, America’s big-box stores are begging Congress to boss them around.
Reeling from high-profile privacy fumbles at Target and Neiman Marcus, retailers are asking Congress to require them to notify customers when shoppers’ information has been put at risk.
Currently, when firms spill data, they’re subject to a patchwork of state rules: 46 states, plus the District of Columbia, have their own privacy-breach notification laws. For a company like Target, which has stores in every state save Vermont, that means a massive compliance struggle.
Backers of a unified standard say a federal requirement would not only make companies’ lives easier but would also help firms serve their customers better by giving businesses a quick and comprehensive way to address hacks. And with tens of millions of Target and Neiman Marcus customers wondering if their credit cards are about to be used for someone else’s shopping spree, the issue has new momentum in an otherwise gridlocked Congress.
Rep. Lee Terry, the chairman of the House Commerce, Manufacturing, and Trade Subcommittee, has planned a data-security hearing, featuring testimony from a Target executive, for the first week of February.
Senate Judiciary Committee Chairman Patrick Leahy introduced a data-breach bill earlier this month, with the support of fellow Democratic Sens. Chuck Schumer, Al Franken, and Richard Blumenthal. Leahy, who has pushed similar legislation since 2005, said he also plans to hold a hearing on the issue.
But even with major retailers and business associations calling for a national standard, the legislation’s supporters have struggled to convince some Republicans that the bill isn’t just another nanny-state intrusion into companies’ private affairs.
Indeed, educating conservatives is a big part of the effort, said Mary Bono, a former House Republican from California turned data-security adviser for FaegreBD Consulting.
“This is not an antibusiness move — this is actually pro-business. It’s sort of counterintuitive,” she said.
Democrats have their qualms as well: They worry that a weak federal standard would preempt tougher state protections. And they want any national law to cover geo-location data, emails, and other personal records, not just financial information.
Those impulses, coupled with Congress’s generally constipated legislative process, may be why Bono was unable to gain much traction when she pushed a data-breach bill during her final term before losing her seat in 2012.
Her bill cleared the Commerce, Manufacturing, and Trade Subcommittee in 2011, when Bono was chairwoman, but it never received a vote in the full Energy and Commerce Committee. Bono said Energy and Commerce Chairman Fred Upton was supportive, but the issue was never a high enough priority to make it onto the panel’s calendar.
And while outrage over the Target breach has brought more urgency to the issue, it has also highlighted some sticking points. For example, Democrats and consumer advocates want to go beyond ensuring that consumers are informed when their privacy has been compromised; they want to punish companies that fail to protect their customers’ data.
The Federal Trade Commission has claimed that it already has the power to go after companies for inadequate data security under its authority to police “unfair” business practices. But the Wyndham Hotel chain and the medical laboratory LabMD have challenged the FTC’s actions against them, and the federal courts could decide to strip the FTC of its power in the area.
Many Democrats want any data-breach bill to explicitly grant the FTC the authority to fine companies that don’t take reasonable steps to protect their data. The law wouldn’t have to dictate specific security practices, but companies that recklessly put their customers’ sensitive information at risk should pay a price, they argue. Right now it is expensive for businesses that get hacked to comply with the various state notification rules — and that’s a good thing, consumer advocates say.
“One of the most important elements of a data-breach requirement is that it’s painful,” said Justin Brookman, the director of consumer privacy at the Center for Democracy and Technology. “If all federal data-breach legislation did was to make it easier to have a data-breach event, I’m not sure that would be a great outcome for consumers.”
Leahy’s bill includes new data-security requirements, but a GOP aide for the House Energy and Commerce Committee said the panel is focused only on the notification issue.
And even as the industry pushes Congress for regulation, it is warning lawmakers not to go too far. Many businesses say they would balk at expanding the federal government’s power to meddle in their security practices. It’s in their own interest to safeguard their data, they argue; they don’t need government bureaucrats telling them what kind of passwords to use.
They just need Washington to tell them what to do when those passwords get hacked.
What We're Following See More »
"Saudi Arabia said Saturday that Jamal Khashoggi, the dissident Saudi journalist who disappeared more than two weeks ago, had died after an argument and fistfight with unidentified men inside the Saudi Consulate in Istanbul. Eighteen men have been arrested and are being investigated in the case, Saudi state-run media reported without identifying any of them. State media also reported that Maj. Gen. Ahmed al-Assiri, the deputy director of Saudi intelligence, and other high-ranking intelligence officials had been dismissed."
"Special counsel Robert Mueller’s investigation is scrutinizing how a collection of activists and pundits intersected with WikiLeaks, the website that U.S. officials say was the primary conduit for publishing materials stolen by Russia, according to people familiar with the matter. Mr. Mueller’s team has recently questioned witnesses about the activities of longtime Trump confidante Roger Stone, including his contacts with WikiLeaks, and has obtained telephone records, according to the people familiar with the matter."
"Special Counsel Robert Mueller is expected to issue findings on core aspects of his Russia probe soon after the November midterm elections ... Specifically, Mueller is close to rendering judgment on two of the most explosive aspects of his inquiry: whether there were clear incidents of collusion between Russia and Donald Trump’s 2016 campaign, and whether the president took any actions that constitute obstruction of justice." Mueller has faced pressure to wrap up the investigation from Deputy Attorney General Rod Rosenstein, said an official, who would receive the results of the investigation and have "some discretion in deciding what is relayed to Congress and what is publicly released," if he remains at his post.
"The Justice Department on Friday charged a Russian woman for her alleged role in a conspiracy to interfere with the 2018 U.S. election, marking the first criminal case prosecutors have brought against a foreign national for interfering in the upcoming midterms. Elena Khusyaynova, 44, was charged with conspiracy to defraud the United States. Prosecutors said she managed the finances of 'Project Lakhta,' a foreign influence operation they said was designed 'to sow discord in the U.S. political system' by pushing arguments and misinformation online about a host of divisive political issues, including immigration, the Confederate flag, gun control and the National Football League national-anthem protests."