Federal Legislation, High-Tech Payment Processing Could Mitigate Data Breaches, Stakeholders Say

The Senate Judiciary Committee plans a hearing on data breaches Feb. 4, it said Wednesday night (http://1.usa.gov/K7fKh7). Senate Judiciary Committee Chairman Patrick Leahy, D-Vt., had said last week, pegged to his reintroduction of his Personal Data Privacy and Security Act, that the hearing would be “early in the new Senate session."

The Senate Commerce Committee is likely to hold a hearing in the coming weeks either at full committee or the Consumer Protection Subcommittee level, an aide to Sen. Claire McCaskill, D-Mo., told us. McCaskill chairs that subcommittee and sent a letter to Target with committee Chairman Jay Rockefeller, D-W.Va., which they released Tuesday (http://1.usa.gov/1hrkqKt). McCaskill and Rockefeller are talking about at what level the hearing should take place, the aide said. The Senate Commerce Committee has jurisdiction over commercial data practices and data security, said McCaskill and Rockefeller, citing their advocacy for data security and breach notification legislation.

"Target’s recent incident demonstrates the need for such federal legislation,” McCaskill and Rockefeller wrote. They requested a briefing from Target information security officials for committee staff. Members of other committees in both chambers have vied for data breach hearings. Three Democrats wrote a letter to Senate Banking Committee leadership Dec. 30 requesting a hearing (http://1.usa.gov/1gMcm66). There have also been internal pushes for action within the House Oversight Committee and House Financial Services Committee.

Outdated technology, possibly to blame in recent data breaches, should be improved, said an industry lawyer who heads a law firm that represents merchants and tech companies. “The U.S. electronic payment system relies on an outdated technology and criminals target the U.S. as a result,” said Stephen Cannon, chairman of Constantine Cannon, which has represented merchants in alleged cases of data breaches. Credit and debit card information is captured using a magnetic strip, “a forty year-old technology,” he said. The Europay, MasterCard, Visa (EMV) “chip and PIN technology used in other countries is many, many times more secure from fraud and theft than” a magnetic-stripe card, he said. “The U.S. has lagged way behind the vast majority of other countries in the world in issuance of EMV cards."

Chip and PIN is a smartcard technology that uses an embedded chip in a credit card for authentication through a PIN number. “In the EU, the card must do some fancy math (cryptography) to prove that you had the card at the time of the transaction,” said Joe Hall, Center for Democracy and Technology chief technologist, by email. “While that would go a long way to improving credit card purchase security and lower instances of fraud, it is in no way perfect.” Payment processing security has “no easy answer,” said Cannon. The “vulnerability” of payment processing in the U.S. “needs to be comprehensively addressed,” he said.

Cannon also raised the “question of private enforcement with respect to card data security.” Credit cards companies can “levy fines” and “penalize their acquiring banks, which simply turn right around and pass any of their anticipated potential financial obligations to the card networks directly onto the merchant,” he said. “In essence, card networks like Visa and MasterCard act like governments when it comes to regulating electronic payments and in particular, when it comes to issues of data security or possible data breaches.” This provides acquiring banks, once notified of an alleged breach by a credit card company, “an absolute tap into the revenue pipeline of their merchants,” he said. If acquiring banks “think something has gone wrong, they can take whatever amount of the merchant’s money they think is appropriate, for whatever reason they think is appropriate, for as long as they think is appropriate,” said Cannon.

TechAmerica has “long supported a national, pre-emptive standard for data security and data breach notification provisions,” said Joe Rubin, head of federal government affairs at the group with board members including executives from eBay and Microsoft. Such a bill would preempt various state laws for data breaches in favor of one federal law, he said. Rubin is “confident” that the “vast majority of the business community agrees” with a federal standard, but cautioned that “Congress needs to get it right. Getting it wrong would actually, in some cases, be worse than” complying with various state laws, he said. Congress needs to take care that what “they are enacting is in fact a uniform federal standard, not a 51st standard and something companies can comply with -- not something that’s going to be worse than current law,” he said.

TechAmerica is watching the introduction of data breach legislation, such as Leahy’s, “very closely,” said Rubin. Whether the bills will “cross the finish line” is unclear, he said. Differences over “notification standards” and “non-breach notification provisions” have prevented earlier passage of data security bills, he said. Leahy has a “data broker” provision in his bill, “which could adversely affect hundreds or even thousands of companies,” said Rubin. He said he wants to work with Leahy and other data security sponsors, but “introducing the same bills over and over again” probably won’t produce “much different of outcome, ultimately.”

The “real question” is what the “reasonable” standard is for data security, said Jessica Herrera-Flanigan, an attorney at Monument Policy Group, which has high-tech clients. “There’s not a system on the grid that can’t be penetrated.” This is about how much “convenience” people want in online transactions, “as opposed to putting more things in place that may slow down our experience,” said Herrera-Flanigan. “That’s something that a lot of companies are going to have to think about and that’s what customers have to think about, too.” (jmcknight@warren-news.com),