In the aftermath of major hacking attacks at retail giants Target and Neiman Marcus, lawmakers have been searching for a way to move forward on data security legislation and seem to have arrived on one area of limited bipartisan consensus — creating a federal standard requiring companies to disclose data breaches.
But industry representatives and some lawmakers say that won’t be nearly enough to address a growing security threat.
“Breach notification laws can be a useful tool to — potentially — raise awareness about data security issues, incentivize companies to invest in security and empower consumers,” said one financial sector representative who asked not to be named. “But the reality is that notification is after the fact. The key to data security is to prevent breaches in the first place and notification does nothing to prevent breaches except in a very indirect way.”
Justin Brookman, the head of the Project on Consumer Privacy at the Center for Democracy and Technology, said Congress would be taking action on notification years after other levels of government have already acted on it.
“It wouldn’t be enough to address data breaches,” he said. “States have already enacted breach notification. A federal law would just make it easier on everyone by providing one standard.”
If a federal law provides liability protections and other incentives for companies that disclose attacks, it could actually make experiencing a breach cheaper for them, he said. Brookman called on Congress to look at other issues, such as requiring companies to have a reasonable level of security and tell customers what information they’re collecting and retaining.
Virginia Democratic Sen. Mark Warner, chairman of the Banking, Housing and Urban Affairs Subcommittee on National Security, International Trade and Finance, said that notification isn’t the only area where there’s bipartisan agreement; lawmakers are also close to consensus on the idea that debit cards should get the same level of fraud protection as credit cards.
But he said he expects Congress to move, carefully and deliberately, beyond those two areas.
“I’m not sure that breach notification will be sufficient,” Warner said. “I’m not looking to add new regulations without some thoughtfulness. We’re at the tip of the iceberg here.”
The open question is what Congress could do that would go beyond those issues and stand a chance at passing. Several members, notably Massachusetts Democratic Sen. Elizabeth Warren, have talked about giving the Federal Trade Commission increased authority to enforce data security standards, but Republicans see more regulation as a non-starter.
Lawmakers have generally received positive feedback from industry about notification — although the retail sector has expressed some reluctance — but many in the private sector feel that additional regulations would be unnecessarily restrictive and could actually harm data security if they set baselines that are too low or standards that don’t adapt to the steady flow of new threats.
“I really think the industry needs to do a better job in how it protects its information,” said Randy Vanderhoof, president of the Smart Card Alliance, a business group advocating for smart card technology.
Data security challenges include being able to spot illegitimate users on networks and better encrypting information to minimize the damages from breaches, Vanderhoof said, but those are all better left to the private sector. Even Warner’s suggestion about standardizing fraud protections for debit and credit cards would be an area where companies are in a better position to take action based on their knowledge of technology and the risks that consumers are willing to bear, he said.
“They’re certainly issues that I think industry is in the best position to solve,” he said.
Congress has been debating a federal notification standard for years, but the issue came back into focus in recent months, as lawmakers probed Target and Neiman Marcus executives for information about when and how the companies told customers about the attacks. The administration used the opportunity to renew its calls for a notification law, saying such a requirement would aid law enforcement in pursuing cyber-criminals.
“These crimes are becoming all too common,” Attorney General Eric H. Holder Jr. said in a video address. “And they have the potential to impact millions of Americans every year.”
Holder said a suitable standard would contain exceptions for harmless breaches, to protect businesses from undue harm, and penalties for companies that fail to make disclosures.
Although there is still a sharp partisan divide over data breach regulation — particularly the notion of giving the government more power to punish companies that don’t adequately protect information, a notion Republicans oppose — fewer members are willing to publicly oppose a notification requirement.
After the House held hearings on the Target and Neiman Marcus breaches, “there seemed to be agreement that one standard for disclosure would be good,” Graham Dufault, counsel to Lee Terry, R-Neb., chairman of the House Energy and Commerce Subcommittee on Commerce, Manufacturing and Trade, said at a recent conference.
Senate Judiciary Chairman Patrick J. Leahy, D-Vt., is sponsoring a leading data breach bill (S 1879), which would set criminal penalties for those who fail to disclose breaches. The panel’s ranking Republican, Charles E. Grassley of Iowa, says he’s willing to move forward on the issue, with the caveat that legislation should take pains to avoid requiring unnecessary disclosures.
“Just as there’s a potential for harm when a victim isn’t notified of a breach, overnotification can lead to harm and apathy,” he said during a February hearing.
Agreement doesn’t always equal action, though, and there are still plenty of issues that could kill breach notification this session. Debates over what constitutes “personally identifiable information” that would require notification if accessed by an attacker has bogged down debate in the past.
Congress would now also be working against the backdrop of a variety of notification laws adopted by 47 states and the District of Columbia. A federal law would almost certainly pre-empt those statutes, and Brookman said Congress therefore would have to take care in coming up with its language.
“If it’s a weak law, it would actually supersede some of the better state laws out there,” he said.
Still, House and Senate aides say if Congress is able to move any data breach legislation this year, notification is the most likely area for progress, whether on its own, as an amendment or as part of a larger package.
Warner said that, unlike many regulatory proposals, breach notification has an obvious appeal to industry, as it could actually save companies money.
“I think industry realizes the problem of the free rider,” he said. “What happens if you do security, but someone doesn’t, and you don’t know about it, and you become vulnerable?”
But the problem with focusing on notification, according to industry watchers, is that while it can have some positive effects, including allowing consumers to respond more quickly when their accounts are compromised and possibly tipping companies to a hacking threat that hasn’t yet hit them, it doesn’t otherwise have much preventive value.
“I’m torn about that,” Vanderhoof said. “Because it’s really trying to deal with damages after the fact rather than stopping breaches from happening.”
Another problem financial and technology sector groups see with breach notification is the fear that Congress might be declaring a symbolic victory about a battle it should long ago have settled.
“Congress may enact a federal breach notification law because members want to demonstrate some progress on the issue of data security and breach notification is currently one of the few areas of consensus,” said the finance industry representative. “Of course, consensus in Congress could grow beyond breach notification if more breaches are made public.”
Sen. Dianne Feinstein, D-Calif., floated a notification proposal as long ago as 2003. Lawmakers seemed close to reaching agreement on a bill in the last session, but those negotiations collapsed.
In the fast-moving world of digital threats, the pace of congressional debate seems especially slow. Warner said that slow speed could mean that Congress will eventually act on something more comprehensive.
“Even if we just start with notification, that takes us so long that by the time we’re done we might have come up with something else,” he said.