New Data Security Legislation On Horizon

Recent Happenings in APRM February 2014 Virginia Court Confirms Standard for Revealing Identities of Anonymous Online Defamers Case CPSC Proposes Revisions to Section 6(b) Information Disclosure Rule NHTSA Heads Down the Road to New Vehicle-to-Vehicle Communications Regulations FDA to Consider Overhaul of Over-the-Counter Drug Approval Process New Data Security Legislation On Horizon

After two high-profile breaches at Target and Neiman-Marcus, the Congress held back-to-back-to-back hearings in the Senate and the House last week on what tools the regulatory agencies, law enforcement, retailers, and banks need in order to combat the threat. Congressional leaders discussed whether there should be national standards on breach response, consumer protections, and data security and whether or not sharing information with a third party (social network, phone-company etc.) undermined a consumer's expectation of privacy. Given the American public's concern over this issue, and the unchanging pace of technological development, it's likely that greater Congressional attention, not less, will be devoted to this issue.

I. The Federal Trade Commission wants Legislation

For more than a decade, the Federal Trade Commission has taken on the role of regulator of consumer privacy. They have brought enforcement actions, established guidelines, and have settled more than 50 cases against businesses that they have accused of failing to safeguard the data of customers. There is pending litigation brought by Wyndham Hotels which challenges the FTC's authority to regulate and enforce consumer/data security standards. Wyndham's argument essentially boils down to a claim that Congress never authorized these FTC powers, and if the argument prevails, it would effectively render the Commission powerless to enforce breach regulations or minimum standards for the protection of customer data.

The Commission testified at all three hearings (Senate Banking, Senate Judiciary, and House Energy and Commerce) with Chairwoman Ramirez testifying before Senate Judiciary and Energy and Commerce, while Jessica Rich, the Director of the Bureau of Consumer Protection, testified before Senate Banking.

While both FTC testimonies consistently advocated for legislation affirmatively granting the Commission regulatory and enforcement authority, it wasn't until Wednesday's Energy and Commerce hearing that Chairwoman Ramirez outlined what the legislation should contain. In her opening statement she asked that any legislation authorize "civil penalties for deterrence, rule making authority, and jurisdiction over non-profits." Under questioning from Rep.

Dingell, who always asks yes or no questions of witnesses, there came this exchange:

Dingell- Should Congress pass a data-breach law?

Ramirez- Yes.

Dingell- Under such law, should FTC-covered entities be exempted from breach notification requirements if they're already in compliance with GLBA(Gramm-Leach-Bliley), FCRA(Fair Credit Reporting Act), and COPPA?

Ramirez- No.

Dingell- Should such law be administered by one federal agency?

Ramirez- Yes, it should be the FTC.

Dingell- Should a federal data security and breach notification law prescribe requirements for data security practices according to the reasonableness standard already employed by the Commission?

Ramirez- Yes.

Dingell- Should such law address notification methods, content requirements, and timeliness requirements?

Ramirez- Yes.

Dingell- In the event of a data breach, should a comprehensive federal data security and breach notification law require companies subject to a breach to provide free credit monitoring services to affected consumers for a time certain?

Ramirez- Yes.

Dingell- Should a violation of such law be treated as a violation of a Trade Regulation Rule promulgated under the Federal Trade Commission Act?

Ramirez- Yes.

Dingell- Should such law be enforceable by state attorneys general?

Ramirez- Yes.

Dingell- Given advances in criminal ingenuity and its potential in the future, should any statutory definition of the term "personal information" included in a comprehensive federal data security and breach notification law be sufficiently broad so as to protect consumers best?

Ramirez- Yes.

Dingell- Should such law preempt pre-existing state data security and breach notification laws?

Ramirez- Yes, if the federal rules are strong enough.

The queries above provide a broad outline of what the FTC, and its supporters would like to have in a final draft of legislation. There was some comments, most notably from Rep. Blackburn, that the term "reasonableness" needs to better outlined, but in general the Committee members seemed to agree that establishing a Federal standard would offer clarity to both consumers and business. One exception was Rep. Mike Pompeo (R-Kansas), who held the view that the free market was the best regulator of best practices noting that Target's sales declined substantially once the breach became known and that consumers would reward retailers with better security and punish those with poor safeguards.

II. There is a Brewing Fight between Retailers and Banks

This issue reignites the feud between banks and retailers, which was most recently on display during the interchange fee debate, sparked by the so-called "Durbin Amendment," added to the Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010. In advance of these privacy hearings, both sides had already engaged. The National Retail Federation (NRF) sent a letter to congressional leaders at the end of January, outlining the retail industry's commitment to protecting sensitive consumer data. NRF President and CEO Matthew Shay put the onus on banks to replace current credit and debit cards with cards that would store data in an embedded computer micro-chip and require the use of a PIN rather than a signature, stating, "banks have continued to issue fraud-prone magnetic stripe cards to U.S. customers, putting sensitive financial information at risk while simultaneously touting the security benefits of next-generation PIN and Chip card technology for customers in Europe and dozens of other markets."

Meanwhile, the American Bankers Association (ABA) advanced the argument in the press that retailers should be responsible for covering the cost of the breaches, stating, "When a retailer speaks of its customers having 'zero liability' from fraudulent transactions, it is because our nation's banks are providing that relief, not the retailer that suffered the breach."

The hearings on Capitol Hill this week further highlighted the tensions between the two industries. Testifying on behalf of the ABA before the Senate Banking Committee on Monday, James Reuter, Executive Vice President of FirstBank, reiterated the banks' efforts to make consumers whole following a breach in security, saying that banks shoulder the vast majority of costs associated with the breach. "Overall, for 2009, 62 percent of reported debit card fraud losses were borne by banks, while 38 percent were borne by merchants," Reuter said.

NRF's testimony highlighted failures of the Payment Card Industry (PCI) and the "obvious deficiencies in cards themselves," while stating that merchant fraud costs are much higher than banks' fraud costs.

Retailers were the victors of the interchange debate, with the Durbin Amendment capping transaction fees charged to retailers when consumers used debit cards. It's notable that two of the Senators serving on the Senate Judiciary Committee, a Committee of jurisdiction for this debate, are Amy Klobuchar and Al Franken, both from Minnesota, home to Target headquarters

III. House Judiciary Members Express Support to a Privacy Right in Metadata

On Tuesday, the House Judiciary Committee held a hearing to examine proposed reforms to the Foreign Intelligence Surveillance Act. The hearing was to examine reports on surveillance activities released by the Review Group on Intelligence and Communications Technology and the President's Civil Liberties Oversight Board, both of which called into question the NSA's use of Section 215 of the PATRIOT Act for bulk collection of the metadata of Americans. Underpinning this activity, is the reasoning of Smith v. Maryland, which held that phone records belonged to phone companies, rather than the user of the phone.

In comments between questioning, Chairman Goodlatte, Ranking Member John Conyers (D-MI), Rep. Blake Fahrenholdt (R-TX), and Rep. Ted Poe (R-TX), all called into question whether Congress needs to create legislation to reform Smith. Chairman Goodlatte and Rep. Fahrenholdt went so far as to assert that consumers might have an overall right to privacy and ownership of the data they generate. While the musings of Congressman into an open microphone is far from the development and passage of legislative language, it was the first concrete evidence that there is a developing bi-partisan consensus that American consumers need enhanced protections for the metadata they are generating.

Congress will first address the problems outlined by the two reviews of Section 215, however by legislatively limiting the reach of Smith coupled with increasingly libertarian views on technology in both parties, the reform of how internet companies, retailers, and social networks collect and use information on their customers will not be far behind. There will inevitably be attempts to join the regulation of government and private data collection together.

IV. Who Does this Impact?

As mentioned above, the discussions before these four Congressional committees affect nearly every business that uses, stores, or processes the personal information of any American. The universe of those affected amounts to nearly every retailer and consumer financial institution in the United States.

In the near term, those with interests in how these debates are resolved should begin assessing their risks and engage with regulators and policy makers to understand what might be expected of them in a new regulatory environment. This dialogue would also enable them to help change proposals and to take advantage of current regulatory and legislative ambiguity to ensure minimal disruption to operations and services.

This legislative year promises to be a critical period in the development of privacy and data security regulations. Those who will be regulated are far better off being involved from the beginning, and helping to shape the outcome of these debates, than responding to the implementation of these regulations in the future.