Data Breach Legislation Sparks Debate

Published July 1, 2007

Data breaches in the retailing and banking sectors generate the biggest headlines, but government agencies and universities have accounted for the overwhelming majority of breaches in data security, an official with National Retail Federation told state legislators at a recent meeting in Washington.

Speaking on a panel addressing data protection at the National Conference of State Legislatures’ Spring Forum in April, Elizabeth Oesterle, senior director and government relations counsel for the retailing trade group, said education and willingness to change certain business processes are the best ways businesses and government agencies can guard against liability for identity theft and consumer fraud.

Representatives for the Federal Trade Commission (FTC) and banking groups on the panel agreed with Oesterle’s assessment.

At least 25 states have enacted data breach notification laws, beginning with California in 2002. Congress failed to act on a number of data protection bills introduced last year. Bills introduced in 2007 include the Personal Data Privacy and Security Act of 2007 (S. 245) and the Identity Theft Prevention Act (S. 1178).

Worst Record: Governments, Universities

Governments and universities have been responsible for 60 percent of the reported breaches, Oesterle said, citing data from the Privacy Rights Clearinghouse, an organization that tracks data breaches. The retailing industry accounted for only 3 percent of such breaches, and banks and financial institutions accounted for 9 percent.

Jessica Rich, assistant director for privacy and data protection at the FTC, said the federal agency is stepping up data protection efforts through business and consumer education, promotion of breach notification laws, and participation in the Presidential Task Force on Identity Theft.

The task force recommendations, released in April, include decreasing public-sector use of Social Security numbers; educating federal agencies on ways to enhance data protection; and improving federal response when breaches occur.

The recommendations include several legislative proposals to close gaps in existing identity theft statutes.

National Standards

In the private sector, the task force recommends national standards be established to require protection of personal data and prompt notification when a breach poses a significant risk of identity theft.

“We will support laws to create rules and basic requirements for data collection,” Rich said. “Notice should be required when there is likely harm.”

Even though they were speaking to an audience of state legislators, Oesterle and Leslie Woolley, vice president of congressional relations and interstate banking for the Conference of State Banks Supervisors, both favored federal legislation over a patchwork of state laws with different requirements. Once federal laws are established, states could adopt similar measures, they noted.

Woolley cited a Maryland law that passed this May. Under its terms, “If you’re in compliance with federal law, you’re in compliance with state law,” she noted.

Liability Issues

Panelists also debated the appropriate threshold for reporting breaches. The California law requires customer notification whenever there is reasonable suspicion of a breach. Maryland’s new law requires notice only if an investigation shows misuse of the individual’s personal information has actually occurred.

The panel also discussed concerns about regulation and liability legislation that retailers and banks, which bear the cost of issuing credit cards, have. Oesterle and Woolley both expressed concern about liability issues.

Since they bear the cost of issuing cards, smaller banks want to be reimbursed by retailers when a breach makes card replacement necessary. Retailers, however, fear being forced to pay for the replacement of thousands of credit and debit cards from bank customers who are not truly at risk but feel vulnerable in the wake of a reported breach.

Steven Titch ([email protected]) is senior fellow for IT and telecom policy for The Heartland Institute and managing editor of IT&T News.

For more information …

Privacy Rights Clearinghouse,

Maryland Consumer Protection-Personal Information Protection Act,

Federal Personal Data Privacy and Security Act of 2007,

Federal Identity Theft Prevention Act,