It shouldn’t be too hard to predict how this will turn out.
In every two-year session since 2005, Congress has considered legislation to enact a federal law to govern data breaches that put citizens at risk for identity theft.
Lawmakers are at it again this session, with the Data Security and Breach Notification Act of 2013 proposed last month in the Senate. In the House, a subcommittee took testimony last week from a handful of invited guests representing business and academia on how it might craft its own legislation.
In both cases, the “messy patchwork” of existing state laws was cited as an impetus for the federal move; so too was an increased incidence of breaches.
All but four states have statutes in place meant to alert consumers when their private information is exposed, such as the breaches to credit and debit card accounts that affected names familiar to the Capital Region: retailer TJX Cos. in 2007; grocer Hannaford in 2008; and some local stores of burger chain Five Guys last year.
Symantec, a security software company, says 2012 saw fewer massive data breaches but more smaller ones. A study it commissioned found the average breach costs U.S. businesses $188 per lost record, or $5.4 million per incident.
“The risk of a data breach is now higher than ever before,” Symantec’s senior policy counsel for cybersecurity, Jeff Greene, testified at the House subcommittee hearing.
Kevin Richards, a senior vice president at TechAmerica, a technology company trade group, pointed to the need to preempt state laws that “often vary needlessly and in some cases don’t make sense.”
Preemption was supported by others who testified at the hearing, and it is included in the legislation introduced in the Senate in June.
But Andrea Matwyshyn, an assistant professor at the University of Pennsylvania’s Wharton School, warned against it. “Limiting states’ rights to impose liability for information security misconduct will further erode consumer trust and damage innovation in the United States,” she testified.
Matwyshyn noted that overlapping state and federal regulatory functions already exist in the laws governing publicly traded companies, and that “multiple regulators successfully collaborate to ensure consumer protection and market stability.”
My gripe about these kinds of deliberations has less to do with whether laws need to be standardized across state lines or what kind of private-information release constitutes a breach.
Rather, I get mad when data breaches aren’t reported swiftly or when we’re left guessing what company — and, thus, whether I — was affected.
In the 2007 TJX breach, I wasn’t aware that my credit card was at risk until my bank sent me a new card with a note saying there had been “a security breach … at a retail merchant.” No mention was made of TJX or its Marshalls and TJ Maxx stores, and the retailer didn’t own up to the breach for more than a month after it was first detected.
In the Hannaford breach, the grocer stepped forward soon after the Massachusetts Bankers Association mentioned that banks in the state had been alerted to a breach — even though they didn’t know the specific retailer. Last year’s Five Guys breach came to light only after Trustco Bank sued a franchisee to recoup the costs of replacing debit cards.
Given that Congress hasn’t found the right combination yet for a national statute to govern breaches, maybe it can work in points to address my gripes, too.
Marlene Kennedy is a freelance columnist. Opinions expressed in her column are her own and not necessarily the newspaper’s. Reach her at email@example.com.