Massive data breaches at two nationwide retailers in recent years, as well as North Korea’s alleged attack on Sony Corp., have brought renewed focus to the question of how the federal government can ensure U.S. businesses protect sensitive customer data. The potential for congressional legislation and administrative action later this year, however, has the retail and financial services industries advocating for different priorities in data breach security proposals.
Data breaches at Target Corp. and Home Depot Inc. exposed the personal financial information of a combined 120 million customers, and in doing so hurt the bottom line of card issuers. The Credit Union National Association, a financial services trade association, said the two data thefts alone meant credit unions racked up more than $90 million in costs related to issuing new cards, blocking accounts, monitoring for fraud and notifying consumers.
That’s prompted many card issuers to say they shouldn’t have to bear the costs for the breach of another company’s data systems. Last week, CUNA, the American Bankers Association, the Financial Services Roundtable and other industry trade groups sent a letter to lawmakers saying any forthcoming data security legislation should include a provision that affirms “the costs of a data breach should ultimately be borne by the entity that incurs the breach.”
Federal law does not require retailers to assume the liability for the costs of responding to a breach.
CUNA and the nearly 7,000 credit unions it represents say the logic behind having retailers like Home Depot and Target shoulder the cost burden is simple. The Gramm-Leach-Bliley Act, enacted in 1999, sets data security standards for financial institutions that possess personal financial information. The law, however, does not regulate merchants, only financial services firms.
Ryan Donovan, chief advocacy officer at CUNA, says that means retailers have “less incentive to secure that information tightly.”
“So right now the weak link in the payment system in terms of security is at the merchants,” Donovan said in an interview. “If they took greater steps to protect data, they wouldn’t be the victim.”
Paul Martino, vice president and senior policy counsel at the National Retail Federation, a trade group that represents merchants in the U.S. and more than 45 other countries, said the issue is more complex. He said retailers must adhere to multiple tiers of data security standards in order to meet requirements stipulated by various state laws, the Federal Trade Commission and the card issuers themselves.
“So it’s a little puzzling when we receive letters from card issuers about our data security when they set our standards,” Martino said in an interview. “This whole debate about retailer security standards masks the larger issue: that the cards themselves are fraud-prone.”
In a November letter to lawmakers in Washington, the NRF, along with the National Grocers Association, the National Restaurant Association and dozens of other groups representing merchant interests, lay part of the blame for data breaches at the feet of easily thwarted card payment technology, which in the U.S. uses a magnetic strip and signature to authenticate identity.
Visa Inc. and MasterCard Inc. say that before November they plan to transition to chip technology, a more secure authentication process that has been used in Europe for years.
But credit unions say that more advanced card security isn’t necessarily a cure-all because the chip-and-PIN approach doesn’t guard against breaches stemming from malware.
In the November letter the retail groups also point out that data breaches are not restricted to the merchant sector. They cite a breach at JPMorgan Chase last summer, which affected over 80 million accounts according to a company filing with the Securities and Exchange Commission.
Despite their differences over how to better protect consumer financial information, credit unions and retailers are in agreement about one thing: the need for a federal notification law that establishes when breached entities must inform consumers that their private information might be at risk.
At a congressional hearing today, Democratic and Republican members of the House Energy and Commerce Subcommittee on Commerce, Manufacturing and Trade expressed interest in passing a federal data breach law that would mandate a nationwide breach notification standard.
State laws currently govern commercial data breach notification requirements. As a result, nationwide businesses must navigate regulations in 47 states regarding customer notification procedures.
“A single, uniform national standard for notification of consumers affected by a breach of sensitive data would provide simplicity, clarity and certainty to both businesses and consumers alike,” NRF Senior Vice President for Government Relations David French said today in a statement.
Proponents of a national breach notification law also note the compliance costs associated with so many different state laws.
“Too many resources are spent trying to understand the legal obligations involved with data security and breach notification,” Rep. Michael Burgess (R-Texas), chairman of the Subcommittee on Commerce, Manufacturing and Trade, said at today’s hearing. “Certainty would allow those resources to be spent on actual security measures and notifications to affected consumers.”
Last year, Sen. Tom Carper (D-Del.) introduced the Data Security Act of 2014, one of at least four measures put forth by senators during the 113th Congress that would have created a federal notification standard. In an email statement on Jan. 23, Carper said the goal of his bill was to give “businesses clear and consistent rules of the road for responding to a breach event.”
None of the Senate’s data-security bills from the previous Congress made it out of committee.
Martino explained that while “there is a consensus in Congress that a federal breach notification bill should pass, there is a lack of consensus about how the language should look.”
One concern is that some state notification laws might be stronger than a federal bill.
“Businesses that operate nationally often follow the strictest state laws, giving our constituents strong data security and breach notification protections coverage regardless of what is written in any individual state law,” Rep. Frank Pallone (D-N.J.) said at today’s House hearing. “Therefore, I cannot support any proposal that supersedes strong state protections and replaces them with one weak federal standard.”
Woodrow Hartzog, an associate professor of law at Samford University who testified at today’s House hearing, echoed similar reservations. He said federal legislation should “serve as a floor, not a ceiling for regulation” and thus “allow state and sector-specific laws to be more protective, but not less.”
Jennifer Barrett-Glasgow, global privacy officer at Acxiom Corp. who also testified at the hearing, offered another reason why previous legislation had gotten nowhere. “Over the years, the enactment prospects of data breach notification and security bills have been hampered by the inclusion of ‘privacy’ provisions for which there is less consensus,” she said.
Federal bodies outside of Congress are taking an interest in this issue as well. The Federal Reserve yesterday published a paper calling for an overhaul of the U.S. payment system and announcing the formation of a task force to take on the issue later this year.