Rep. Frank Wants Added Protections for Consumers
By Brian Krebs
washingtonpost.com Staff Writer
Thursday, February 1, 2007
10:19 AM
Data privacy is likely to be among the hottest technology issues to face Congress this year, thanks in part to interest from the new chairman of the powerful House Financial Services Committee.
Panel Chairman Barney Frank (D-Mass.) said he plans to craft a bill by working with the head of the committee overseeing commerce issues. His measure would exempt companies from disclosing data breaches, provided they secure the data with encryption software, or some other technology that would render it virtually unreadable if it fell into the wrong hands.
Frank also said he wants retailers to be held more accountable for data breaches. Earlier this month, TJX Companies, the Massachusetts-based parent company of discount retailers TJ Maxx and Marshalls, disclosed that hackers had broken into its credit card processing network, exposing financial details on millions of Americans. This week, the Massachusetts Bankers Association said that some of its member banks have reported fraudulent transactions associated with the data breach. Credit card issuers have contacted at least 60 banks affected by the break-in, the MBA said.
While more than 30 states have laws requiring companies to alert residents of a data breach, most of the statutes let the affected company delay notifying banks while law enforcers investigate. Frank said retailers should be required to notify banks that issued the compromised credit card accounts so that financial institutions can issue customers new cards before fraud occurs.
"For too long, retailers have been immunized from having to own up when it's their mistake through contractual protection from Visa and MasterCard," Frank said.
Officials from Visa and MasterCard declined to comment for this story. But Mallory Duncan, senior vice president of the National Retail Federation, said Frank's proposal was an effort by some smaller banks to shift more of the costs of fraud to retailers.
"Most of the larger banks have very sophisticated, round-the-clock fraud monitoring systems in place, but a lot of the smaller institutions don't have those systems, Duncan said. "These institutions have abdicated their responsibilities in this regard, and now they want retailers to pay for it."
More than 100 million Americans have had their personal data compromised due to data breaches or mishaps, according to the Privacy Rights Clearinghouse.
The data breach bill that enjoyed the most support from industry and consumer groups last year -- offered by California Democratic Sen. Dianne Feinstein -- would require any organization holding personal data to notify consumers upon learning of a data breach. Feinstein's measure contains fairly broad exemptions, and it would preempt many tougher state laws.
Feinstein's bill, among the first to be reintroduced this year, also would require companies to notify consumers of a breach regardless of whether the data was encrypted, although companies would only be forced to notify if records on at least 10,000 customers were jeopardized.
But it is far more palatable to consumer groups than a proposal that came close to a vote in the House of Representatives last year. That measure would have barred most consumers from requesting "security freezes" on their credit files. It also would have given businesses greater discretion in determining when consumers should be notified about a data breach.
Liz Gasster, acting executive director of the Cyber Security Industry Alliance, said her member companies would lobby for the inclusion of a legal liability exemption for data breaches that involve stolen or lost personal information that has been protected by encryption technology.
"We want to ensure that if companies take steps like using encryption as part of their overall security plan that there would be some sort of safe harbor limitation on liability, said Gasster, whose group represents some of the world's largest computer security firms.
David Sohn, staff counsel for the Center for Democracy & Technology, a policy group in Washington, said an encryption exemption in a data breach bill would help avoid alarming consumers over data breaches that have a very low likelihood of compromising their personal information.
"So long as [the legislation] is written not to exempt companies that also have their encryption keys [needed to unscramble encrypted data] stolen along with their customers' information, there is a strong argument to be made that sending notices to consumers in those cases could desensitize people into not being vigilant in cases where it really matters," Sohn said.
While some major corporations -- most recently Microsoft -- have expressed support for some kind of federal consumer privacy law to govern how companies can use, combine and trade consumer data, the effort to produce baseline privacy protections for consumers may be among the most contentious of policy debates, said Fred von Lohmann, a senior staff attorney with the Electronic Frontier Foundation.
"Data privacy is one of those areas where you're going to have very big corporate interests on both sides," von Lohmann said. "The question with this issue -- as with others -- becomes, is this an area where dueling interest groups will make it difficult for Congress to come to an effective solution, or is it something that's moving so fast that anything Congress is likely to do will end up obsolete a year or two from now?"
Consumer groups also expect corporate- and government-backed data mining practices to receive heavy scrutiny from this Congress, in part because the Senate Judiciary Committee is now headed by Patrick Leahy, a Democrat from Vermont known for his staunch advocacy on consumer privacy matters.
The Bush administration has come under heavy fire from privacy advocates for its data mining initiatives and for pressuring Internet service providers to dramatically extend the length of time that they retain records of their customers' online activities. In a shining example of how few technology policy concerns divide neatly along partisan lines, the administration's data retention plan was backed with legislation offered by Rep. Diana DeGette, a Democrat from Colorado.
Leahy declined to comment for this story, but in a speech at the Georgetown University Law Center following the mid-term election, Leahy said he plans to introduce legislation to curtail what he called the "proliferation of data brokers and the burgeoning market for collecting and selling personal information."
View all comments that have been posted about this article.