Attorney General Eric Holder has a message for Congress: America needs a national standard for notifying consumers and law enforcement of data breaches.
On Monday, the attorney general tried to dispel a popular industry argument that public disclosure of attacks could jeopardize investigations.If anything, Holder said, a federal standard would “enable law enforcement to better investigate these crimes -- and hold compromised entities accountable when they fail to keep sensitive information safe.”
The attorney general joins a chorus of lawmakers in calling for a federal law to supersede the jumble of state regulations already in place. Consumer advocacy groups are also calling for uniform rules, though they caution that any federal standards should not weaken the tough protections that several states already have on the books.
To Holder, a national reporting standard would empower consumers to protect themselves against identity theft. The faster people are aware of a breach, the sooner they can look for suspicious activity on their accounts.
It took retailer Target four days to come clean about hackers lifting data from 40 million customer credit and debit card accounts over the holidays. Neiman Marcus waited 10 days before alerting the public to a similar breach of its systems. While those companies have defended their response times, consumer advocates have decried the delays.
Public companies such as Target and Neiman Marcus have to inform consumers of a breach as long as the disclosure does not interfere with law enforcement investigations, according to the Securities and Exchange Commission. But there is no standard for privately held companies.
Forty-six states have disclosure laws on the books with varying degrees of consumer protection. Maryland, for instance, requires companies to list the contact information of the state attorney general when personal information is compromised. But Virginia, like many states, exempts companies from reporting breaches depending on the level of exposure of the data.
“You shouldn’t have more or less protection because of the state you reside in,” said Eva Velasquez, chief executive of the Identity Theft Resource Center, a San Diego-based nonprofit.
Instituting federal disclosure has been a perennial battle in Washington. The competing interests of state authorities, companies and consumer advocates have killed past bills.
“Because the [Target] breach got national attention ... now we’re starting to have a much-needed conversation about the importance of uniformed regulation,” Velasquez said. She suspects the recent rash of breaches could tip the scales this time around.
In the wake of the Target breach, several disclosure bills have been introduced in Congress, including legislation sponsored by Sens. Tom Carper (D-Del.) and Roy Blunt (R-Mo.). Their bill would require companies to notify federal agencies of breaches and Americans of any breaches that affect more than 5,000 customers.
Companies have been apprehensive about whether they would have to inform the public of all attacks to their computer systems, which would require extensive manpower. Holder pressed Congress to enact legislation that would “provide reasonable exemptions for harmless breaches, to avoid placing unnecessary burdens on businesses that do act responsibly.”
There is not much that the attorney general can do other than appeal to Congress to institute a national standard for disclosure. The Justice Department has been working with the Secret Service to find those responsible for the cyber intrusions.
But it’s not enough, consumer advocates say. Disclosure, they argue, is only one piece of a much larger picture.
“The system is out of control in terms of how much data is being collected and how few controls are in place,” said Jeffrey Chester, executive director of the Center for Digital Democracy, a privacy advocacy group. “The government has to create standards; they have to be enforced; and there need to be serious penalties.”
Americans are protected under a patchwork of privacy laws. The Gramm-Leach Bliley Act of 1999 established security standards for banks and credit unions to guard consumer data, but there is no comparable law that governs merchants.
Retailers could face enforcement action from the Federal Trade Commission if they fail to safeguard their customers’ personal information. Critics say that reactive approach does little to ensure companies are vigilant about protecting consumer data.
Even the Consumer Financial Protection Bureau has a limited role in this area, as its primary function is to ensure banks reimburse consumers for fraudulent purchases made using their cards.
A group of Senate Democrats, led by Sen. Jay Rockefeller (D-W.Va.), has introduced legislation to require the FTC to issue security standards for companies that hold consumers’ personal and financial information. But industry groups, including the National Retail Federation, have bristled at the idea of additional regulation, as expected.