Accountability Is Key Goal of Privacy Legislation
Thursday, February 1, 2007; 10:19 AM
Data privacy is likely to be among the hottest technology issues to face Congress this year, thanks in part to interest from the new chairman of the powerful House Financial Services Committee.
Panel Chairman Barney Frank (D-Mass.) said he plans to craft a bill by working with the head of the committee overseeing commerce issues. His measure would exempt companies from disclosing data breaches, provided they secure the data with encryption software, or some other technology that would render it virtually unreadable if it fell into the wrong hands.
Frank also said he wants retailers to be held more accountable for data breaches. Earlier this month, TJX Companies, the Massachusetts-based parent company of discount retailers TJ Maxx and Marshalls, disclosed that hackers had broken into its credit card processing network, exposing financial details on millions of Americans. This week, the Massachusetts Bankers Association said that some of its member banks have reported fraudulent transactions associated with the data breach. Credit card issuers have contacted at least 60 banks affected by the break-in, the MBA said.
While more than 30 states have laws requiring companies to alert residents of a data breach, most of the statutes let the affected company delay notifying banks while law enforcers investigate. Frank said retailers should be required to notify banks that issued the compromised credit card accounts so that financial institutions can issue customers new cards before fraud occurs.
"For too long, retailers have been immunized from having to own up when it's their mistake through contractual protection from Visa and MasterCard," Frank said.
Officials from Visa and MasterCard declined to comment for this story. But Mallory Duncan, senior vice president of the National Retail Federation, said Frank's proposal was an effort by some smaller banks to shift more of the costs of fraud to retailers.
"Most of the larger banks have very sophisticated, round-the-clock fraud monitoring systems in place, but a lot of the smaller institutions don't have those systems, Duncan said. "These institutions have abdicated their responsibilities in this regard, and now they want retailers to pay for it."
More than 100 million Americans have had their personal data compromised due to data breaches or mishaps, according to the Privacy Rights Clearinghouse.
The data breach bill that enjoyed the most support from industry and consumer groups last year -- offered by California Democratic Sen. Dianne Feinstein -- would require any organization holding personal data to notify consumers upon learning of a data breach. Feinstein's measure contains fairly broad exemptions, and it would preempt many tougher state laws.
Feinstein's bill, among the first to be reintroduced this year, also would require companies to notify consumers of a breach regardless of whether the data was encrypted, although companies would only be forced to notify if records on at least 10,000 customers were jeopardized.
But it is far more palatable to consumer groups than a proposal that came close to a vote in the House of Representatives last year. That measure would have barred most consumers from requesting "security freezes" on their credit files. It also would have given businesses greater discretion in determining when consumers should be notified about a data breach.
Liz Gasster, acting executive director of the Cyber Security Industry Alliance, said her member companies would lobby for the inclusion of a legal liability exemption for data breaches that involve stolen or lost personal information that has been protected by encryption technology.