Senate Introduces Data Security Act

The senators, who introduced similar legislation in the last Congress, say the measure would provide clarity to companies, which currently must comply with a variety of state laws on breaches. The District of Columbia, Guam, Puerto Rico, the Virgin Islands and 46 states all have differing statutes that concern breach notifications, according to the National Conference of State Legislatures (NCSL) (see a list of state statutes on NCSL.org at http://bit.ly/M5s82n).

“As the recent incidents involving Target and Neiman Marcus remind us, major data breaches that compromise consumers' identities and financial security are becoming more routine,” Carper said in a written statement. “These recent breaches, and others before them, underscore the need for Congress to act to protect Americans against fraud and identity theft.” (See the full statement on Carper's website at http://1.usa.gov/1ekoyYs.)

The National Retail Federation (NRF), a trade group for domestic retailers, expressed concern about the Bill.

David French, the group's senior vice president for government relations, said the measure needs to address the U.S. bankcard industry, which he said favors magnetic-stripe cards over more secure PIN-and-chip technology.

“While the Data Security Bill aims to protect consumer data, the Bill carves out banks, card companies and others financial institutions, the very parties who have been primarily responsible for sustaining the currently-flawed system,” French said in a written statement. See, “Retailers Comment on the Data Security Act,” NRF.com.

The legislation follows mounting concern in Congress about the security of consumer information.

Sen. Patrick Leahy (D-VT), the Senate Judiciary Committee's chairman, last month introduced the Personal Data Privacy and Security Act, a breach measure that he has offered in each of the past four Congresses. See, http://1.usa.gov/1dVtuby. Leahy said he plans to hold a hearing this year on breaches.

In the House of Representatives, Rep. Terry Lee (R-NE), chairman of the Commerce, Manufacturing, and Trade Subcommittee of the Energy and Commerce Committee, intended to have a hearing in the first week of this month on breaches. See, http://1.usa.gov/1g9LrVq. Officials from law enforcement agencies and Target will be among the witnesses.

On Jan. 10, Target revealed that as many as 110 million customers may have had their personal information stolen during the holiday shopping season. See, “Target Provides Update on Data Breach and Financial Performance,” Target.com. When the company first confirmed the breach on Dec. 19, it said the breach may have exposed as many as 40 million customers to fraud.

Also on Jan. 10, Neiman Marcus confirmed that a breach occurred. But as of press time, the luxury retailer has yet to say when the breach happened and how many customers it may have affected.

The Dec. 19 acknowledgement from Target and the Jan. 10 confirmation from Neiman both came after reports from data and security blog KrebsOnSecurity (Target'and Neiman).

Both of the companies have said they are taking steps to notify customers about the breaches and are working with law enforcement authorities.

“The security of our customers' information is always a priority and we sincerely regret any inconvenience,” according to a tweet from Neiman Marcus.

Jason Weinstein, a Steptoe & Johnson partner and a former Justice Department official who focuses on privacy and data security issues, predicted last month that Target will face millions of dollars in legal fees connected to its breach. See, “Legal Ramifications of the Target Data Breach,” Law Technology News.

“Data privacy and security class action suits have become the ambulance-chasing of the 21st century,” he wrote on Steptoe and Johnson's Cyberblog.

Andrew Ramonas writes for Corporate Counsel, an ALM sibling of e-Commerce Law & Strategy.

Sens. Tom Carper (D-DE) and Roy Blunt (R-MO) are taking aim at retailers with new legislation intended to improve safeguards for consumer information, following recent revelations about data breaches at Target Corp. and Neiman Marcus Group Ltd.

The Data Security Act, which the bi-partisan duo introduced on Jan. 15, would require companies that accept credit or debit card payments to have policies and procedures in place to protect consumer data from hackers and act on breaches when they occur. Under the Bill, businesses would have to investigate breaches and work to secure the data targeted by hackers.

Companies also would have to tell their customers and federal authorities about any breaches. And if a breach involves at least 5,000 customers, businesses must notify credit-reporting agencies, too.

The senators, who introduced similar legislation in the last Congress, say the measure would provide clarity to companies, which currently must comply with a variety of state laws on breaches. The District of Columbia, Guam, Puerto Rico, the Virgin Islands and 46 states all have differing statutes that concern breach notifications, according to the National Conference of State Legislatures (NCSL) (see a list of state statutes on NCSL.org at http://bit.ly/M5s82n).

“As the recent incidents involving Target and Neiman Marcus remind us, major data breaches that compromise consumers' identities and financial security are becoming more routine,” Carper said in a written statement. “These recent breaches, and others before them, underscore the need for Congress to act to protect Americans against fraud and identity theft.” (See the full statement on Carper's website at http://1.usa.gov/1ekoyYs.)

The National Retail Federation (NRF), a trade group for domestic retailers, expressed concern about the Bill.

David French, the group's senior vice president for government relations, said the measure needs to address the U.S. bankcard industry, which he said favors magnetic-stripe cards over more secure PIN-and-chip technology.

“While the Data Security Bill aims to protect consumer data, the Bill carves out banks, card companies and others financial institutions, the very parties who have been primarily responsible for sustaining the currently-flawed system,” French said in a written statement. See, “Retailers Comment on the Data Security Act,” NRF.com.

The legislation follows mounting concern in Congress about the security of consumer information.

Sen. Patrick Leahy (D-VT), the Senate Judiciary Committee's chairman, last month introduced the Personal Data Privacy and Security Act, a breach measure that he has offered in each of the past four Congresses. See, http://1.usa.gov/1dVtuby. Leahy said he plans to hold a hearing this year on breaches.

In the House of Representatives, Rep. Terry Lee (R-NE), chairman of the Commerce, Manufacturing, and Trade Subcommittee of the Energy and Commerce Committee, intended to have a hearing in the first week of this month on breaches. See, http://1.usa.gov/1g9LrVq. Officials from law enforcement agencies and Target will be among the witnesses.

On Jan. 10, Target revealed that as many as 110 million customers may have had their personal information stolen during the holiday shopping season. See, “Target Provides Update on Data Breach and Financial Performance,” Target.com. When the company first confirmed the breach on Dec. 19, it said the breach may have exposed as many as 40 million customers to fraud.

Also on Jan. 10, Neiman Marcus confirmed that a breach occurred. But as of press time, the luxury retailer has yet to say when the breach happened and how many customers it may have affected.

The Dec. 19 acknowledgement from Target and the Jan. 10 confirmation from Neiman both came after reports from data and security blog KrebsOnSecurity (Target'and Neiman).

Both of the companies have said they are taking steps to notify customers about the breaches and are working with law enforcement authorities.

“The security of our customers' information is always a priority and we sincerely regret any inconvenience,” according to a tweet from Neiman Marcus.

Jason Weinstein, a Steptoe & Johnson partner and a former Justice Department official who focuses on privacy and data security issues, predicted last month that Target will face millions of dollars in legal fees connected to its breach. See, “Legal Ramifications of the Target Data Breach,” Law Technology News.

“Data privacy and security class action suits have become the ambulance-chasing of the 21st century,” he wrote on Steptoe and Johnson's Cyberblog.

Andrew Ramonas writes for Corporate Counsel, an ALM sibling of e-Commerce Law & Strategy.