Twenty-two industry groups, representing thousands of U.S. businesses, sent a letter to Congress the other day calling on lawmakers to pass sweeping data-security rules. At first glance, that seems like a really good thing for consumers.
Upon closer inspection, however, the letter suggests these corporate heavyweights are aiming to sell out consumers by pushing for data-breach notification rules that are inconsistent and far weaker than what many states, including California, already require.
The tip-off is the presence of the Retail Industry Leaders Assn., or RILA, among the letter’s signatories.
In the past, retailers have seldom seen eye to eye with financial firms on how much data security should be required and when consumers should be notified of a security breach. Retailers say these aren’t one-size-fits-all issues.
More to the point, say consumer advocates, is that retailers are a frequent target of hackers and would prefer not to take the PR hit of announcing every other day that customers’ data are in the wrong hands.
Yet suddenly RILA is joining the likes of the American Bankers Assn., the Consumer Bankers Assn. and the Financial Services Roundtable in seeking “federal legislation to protect personal information and, in the event of a data breach that could result in identity theft or other financial harm, ensure consumers are notified in a timely manner.”
“My guess is they’ve cut a deal for Congress to pass a bill that doesn’t require notification in all instances all the time,” said Ed Mierzwinski, federal consumer program director for the U.S. Public Interest Research Group.
“RILA members in the past were very, very upset by the idea that everyone would have to provide notice,” he said. “It’s likely Congress will now pass a Trojan horse bill that weakens state notification requirements.”
I wrote recently about a lack of progress in passing privacy safeguards months after the Equifax breach, which exposed the personal information of more than 145 million Americans.
It seems likely that industry groups, sensing it will take only one more major breach to prompt federal action, have come together to guide lawmakers down a business-friendly path.
In 2015, RILA called on Congress to adopt national breach-notification rules that include “a reasonable timetable for notification” and that take into account “the practical challenges associated with a large-scale notice.”
The association also said a federal notification rule should ensure “that notice is required only when there is a reasonable belief that a breach has or will result in identity theft, economic loss or harm.”
By that standard, major retailers (and RILA members) such as Target and Home Depot, which in recent years experienced breaches affecting nearly 100 million people, would be within their rights not telling anyone if they had “a reasonable belief” no one would be harmed.
Nick Ahrens, vice president of cybersecurity and privacy for RILA, acknowledged that retailers and financial firms have clashed in the past over data-security issues. But he said these fights actually were “proxies” for other disputes, such as how much merchants should pay banks in “swipe fees” when customers use plastic.
Nevertheless, he told me retailers have always supported more effective data-security measures, and the industry recognizes it has to work with other businesses in responding to the growing problem of data breaches.
What RILA wants, Ahrens said, is “a unified data-breach notification standard” governing all companies. He suggested this is what the 22 industry groups are seeking in their letter to lawmakers.
But it’s not.
A close reading of the letter to the House Energy and Commerce Committee reveals that the groups desire a carve-out for financial firms that would allow them to continue being guided by a federal law known as Gramm-Leach-Bliley, which is squishy at best in terms of its notification requirement.
Gramm-Leach-Bliley says that if a firm learns it’s been hacked, and that “misuse of its information about a customer has occurred or is reasonably possible,” the company “should notify the affected customer as soon as possible.”
Should. Not must. Big difference.
More than half of the industry groups sending the letter represent financial firms that fall under Gramm-Leach-Bliley. They don’t want any tougher notification requirements.
For most other companies, including retailers, the letter urges lawmakers to establish “flexible” standards that take into account “the cost of available tools to secure data” and “the sensitivity of the personal information an organization holds.”
There also should be guarantees that smaller companies “are not burdened by excessive requirements.”
To recap: The same old loopholes for banks and other financial firms, and new rules for other companies that don’t, you know, put them out or anything.
On top of all that, the letter specifies that new federal privacy rules must provide “clear pre-emption of the existing patchwork of often conflicting and contradictory state laws.”
California requires that customers be notified any time a business becomes aware it’s been hacked, which is a good deal more stringent than anything at or proposed for the federal level.
I pointed out to Ahrens that RILA can’t honestly say it supports “a unified data-breach notification standard” when it’s willing to accept continued use of Gramm-Leach-Bliley for financial firms.
In response, he softened his remarks to say that “our ideal would be having everyone under the same notification regime.” He said RILA agreed to the terms of the letter “to get something done” in Congress.
OK, except the other major retail industry group, the National Retail Federation, was similarly asked by financial firms to back the initiative. It said no.
“The problem is Gramm-Leach-Bliley,” said David French, senior vice president of government relations for the National Retail Federation. “It doesn’t have a notice obligation. It says ‘should notify.’ It doesn’t require notification.”
Apparently RILA, which represents large retail chains, isn’t as high-minded as its lobbying counterpart, which focuses more on small- and medium-sized companies.
European countries will be adopting strict new privacy rules in May. Among those rules is a requirement that people be notified within 72 hours of any unauthorized accessing of their personal information.
Pay attention, Congress. That’s how you do it.