By Brian Krebs
washingtonpost.com Staff Writer
Friday, February 2, 2007
Data privacy is likely to be among the hottest technology issues to face Congress this year, in part due to interest from the new chairman of the House Financial Services Committee.
Panel Chairman Barney Frank (D-Mass.) said he plans to craft a bill that would exempt companies from disclosing data breaches, provided they secure the data with encryption software or other technology that would render it virtually unreadable if it fell into the wrong hands.
Frank also said he wants retailers to be held more accountable for data breaches. Last month, TJX, the Massachusetts-based parent of discount retailers TJ Maxx and Marshalls, disclosed that hackers had broken into its credit card processing network, possibly exposing financial details on millions of customers.
This week, the Massachusetts Bankers Association said that some of its member banks have reported fraudulent transactions associated with the TJX data breach. Credit card issuers have contacted at least 60 banks affected by the break-in, the MBA said.
While more than 30 states have laws requiring companies to alert residents of data breaches, most of the statutes let the affected company delay notifying banks while law enforcement agencies investigate. Frank said retailers should be required to notify banks that issued the compromised credit card accounts so that financial institutions can issue customers new cards before fraud occurs.
"For too long, retailers have been immunized from having to own up when it's their mistake through contractual protection from Visa and MasterCard," he said.
Mallory Duncan, senior vice president and general counsel of the National Retail Federation, said Frank's proposal was an effort by some smaller banks to shift more of the costs of fraud to retailers. "Most of the larger banks have very sophisticated, round-the-clock fraud monitoring systems in place, but a lot of the smaller institutions don't have those systems," he said.
There have been more than 100 million instances in which Americans have had their personal data compromised due to data breaches or mishaps, according to the Privacy Rights Clearinghouse, a consumer group in San Diego.
The data breach bill that got the most support from industry and consumer groups last year -- offered by Sen. Dianne Feinstein (D-Calif.) -- would require any organization holding personal data to notify consumers upon learning of a data breach. She has revised the bill, and it was among the first to be reintroduced this year.
The measure would preempt many tougher state laws and contains fairly broad exemptions, including not requiring entities to disclose a breach if a risk assessment concludes there is "no significant risk that the breach has resulted or will result in harm" to consumers.
While some major corporations -- most recently Microsoft -- have expressed support for some kind of federal consumer privacy law to govern how companies can use, combine and trade consumer data, the effort to produce baseline privacy protections for consumers may set off contentious policy debates, said Fred von Lohmann, a senior staff attorney with the Electronic Frontier Foundation.
"The question with this issue -- as with others -- becomes, is this an area where dueling interest groups will make it difficult for Congress to come to an effective solution, or is it something that's moving so fast that anything Congress is likely to do will end up obsolete a year or two from now?" he said.
Consumer groups also expect corporate- and government-backed data mining practices to receive scrutiny from Congress, in part because the Senate Judiciary Committee is headed by Sen. Patrick J. Leahy (D-Vt.), known for his staunch advocacy on consumer privacy matters.
The Bush administration has come under heavy fire from privacy advocates for its data mining initiatives and for pressuring Internet service providers to dramatically extend the length of time that they retain records of their customers' online activities.