It’s breathtaking how far U.S. businesses will go to avoid the embarrassment, accountability and possible financial consequences of having to reveal to consumers they got hacked.
This has been a particularly relevant issue in light of the massive data-security breach involving credit agency Equifax, which last week raised the number of people affected by its privacy lapse to 148 million. The company first announced the breach in September after sitting on the information for more than a month.
This week, a congressional hearing was held on a draft bill aimed at creating a national standard for breach notifications. It’s a dubious piece of legislation for a number of reasons, not least that it would exclude Equifax and other credit agencies from its requirements.
No less troubling, it would exempt all banks and financial institutions, and would require notification by retailers and other businesses only if they believe there’s “a reasonable risk that the breach of data security has resulted in identity theft, fraud or economic loss” to consumers.
No harm, apparently, no foul. And hence no notification that the company’s system had been hacked.
And the final insult: The bill would preempt tougher state laws, including California’s, thus lowering the notification bar for all businesses.
“This is simply an attempt to set weaker laws as the ceiling for what states can do to protect consumers,” said Mike Litt, consumer campaign director for the U.S. Public Interest Research Group.
He told me the requirements under the federal bill are so lax that, in many cases, “we wouldn’t even know that a breach took place.”
I reported in January that 22 industry groups were pushing lawmakers to pass data-security rules that ostensibly would protect consumers but in fact were more favorable to — wait for it — these 22 industry groups, led by the American Bankers Assn. and the Financial Services Roundtable.
The bill now being considered in Congress, unveiled last month, includes pretty much everything the groups were seeking.
The Data Acquisition and Technology Accountability and Security Act was introduced by Rep. Blaine Luetkemeyer, a Missouri Republican, and Rep. Carolyn Maloney, a New York Democrat.
I get why Luetkemeyer is involved. He’s chairman of the House Financial Services Subcommittee on Financial Institutions and Consumer Credit and is a friend to the banking business.
Maloney sits on the same committee, but she enjoys a reputation as a consumer champion. She wrote the Credit Card Accountability, Responsibility and Disclosure Act, which helped bring a measure of transparency to the card industry.
Maloney told me her priorities haven’t changed. She described her bill with Luetkemeyer as a work in progress and said she intends to incorporate feedback from consumer advocates.
“I will be working to address their concerns,” she said. “I will not support a bill that doesn’t put consumers first.”
At a hearing Wednesday, Luetkemeyer said the bill is intended to address “a regulatory labyrinth that causes compliance nightmares.”
“There will be another data security breach, and the personal information of too many consumers will be compromised,” he said. “The legislation we consider today aims to foster an environment where consumers are not just protected but empowered.”
Let’s look at why that isn’t really the case.
First, that too-casual notification trigger — warning people of a breach only if there’s a “reasonable risk” that harm has been caused.
While in some cases it’s clear that hackers are profiting from purloined data, frequently there’s no immediate evidence of fraud, or no proof that an act of fraud can be tied to a specific breach.
This gives companies ample wiggle room to either go slow or keep mum after a breach, which means consumers can be left in the dark.
Then there’s the bill’s carve-out for banks and other financial firms. The financial services industry lobbied for the exemption because they’re already covered by a separate law, known as Gramm-Leach-Bliley.
It says that if a firm learns it's been hacked, and that "misuse of its information about a customer has occurred or is reasonably possible," the company "should notify the affected customer as soon as possible."
Should notify. Not must. Like the pirate’s code, it’s more what you'd call guidelines.
Gramm-Leach-Bliley also provides the escape hatch for Equifax. Credit agencies are treated as financial firms under the law, and thus, like banks, they’d be exempt from a more exacting national breach notification rule.
Lastly, the Luetkemeyer-Maloney bill rides roughshod over state laws that hold businesses to a higher reporting standard. California requires that customers be notified any time a company becomes aware it's been hacked.
On the 23rd of its 24 pages, the federal bill says it “preempts any law, rule, regulation, requirement, standard or other provision having the force and effect of law of any state.”
A fine how-do-you-do.
“For all this talk about action after the Equifax breach, Congress hasn’t done anything in six months but is now moving to make things worse,” said Litt at U.S. PIRG.
If businesses truly want a uniform nationwide standard, he said, “they could take the strongest state laws and apply them to all consumers across the country.”
Rather, the American Bankers Assn. submitted a statement to lawmakers Wednesday reiterating their position that no new federal law should supersede provisions of Gramm-Leach-Bliley.
Misleadingly, it said “a critical component” of Gramm-Leach-Bliley is the law’s requirement that if a company finds out its information has been misused, “it must notify affected customers” as soon as possible.
Again, should, not must. The bankers were being dishonest in their characterization of the law.
In its own statement, the National Retail Federation, which opposes a notification exemption for the financial sector, observed that about a quarter of all data breaches involve financial firms.
“Congress should not permit ‘notice holes’ — the situation where certain entities are exempt from reporting known breaches of their own systems,” it said. “If we want meaningful incentives to increase security, everyone needs to have skin in the game.”
Retailers also don’t want to be the public face of data breaches. They want consumers to be just as aware that an Equifax or JPMorgan Chase was hacked as they are when its a Target or Home Depot.
Whatever the rationale, a strong, consistent notification rule is best. That’s the way Congress should be leaning — one size fits all.
From the consumer’s perspective, the only thing that counts is a timely warning that sensitive personal information is on the loose.
As I’ve previously noted, European countries will be adopting strict new privacy rules in May, including a requirement that people be notified within 72 hours of any unauthorized accessing of their personal information.
No carve-outs, no dawdling. Seventy-two hours.
That doesn’t seem so complicated, does it?