Businesses face rising political pressure from data breaches

The data breaches like the one at Target and more recently a unit of credit bureau Experian are fueling consumer protection efforts that could have an impact on business.

This week, the Federal Trade Commission urged Congress to pass national breach notification legislation, while in California, a bill introduced recently in the state Legislature would ban businesses from storing certain customer data for long periods of time.

The end result of the latest activity might not be known, but the trend is clear. High-profile data breaches are bolstering critics' arguments that government needs to step in to protect consumers.

The problem is that no matter how cautious people are, the safety of their personal data relies on the third-party that stores it.

"We tell individuals to simply assume that your personal information is going to be compromised and to take steps to protect yourself on a daily basis," Beth Givens, director of the Privacy Rights Clearinghouse, said. "However, there is nothing any consumer could have done to prevent being affected by these breaches."

The breaches include retailer Target, which had the personal data of 110 million shoppers stolen from its computers by hackers in December. More recently, a breach at a subsidiary of Experian exposed the social security numbers and other personal data of 200 million people, Reuters news agency reported. The incident has started a multi-state investigation on whether laws to protect consumer data were properly followed.

On Wednesday, Edith Ramirez, chairwoman of the Federal Trade Commission told the Senate Committee on Homeland Security and Government Affairs that as more data breaches are reported the message becomes clear that "consumers' data is at risk."

To reduce that risk, Ramirez asked that Congress require companies to notify consumers affected by a breach. In addition, Ramirez called on lawmakers to give the FTC the authority to seek civil penalties to deter unlawful conduct by companies, rulemaking authority to bolster protections and jurisdiction over non-profit entities, which are not currently under FTC oversight.

In California, the bill introduced in the state Assembly would ban long-term storage or personal identification numbers, social security numbers and drivers license numbers. The proposal would also require retailers to cover consumers' losses from data breaches. Businesses would also be required to notify victims within 15 days of a breach.

"The provisions (of the bill) provide a great deal of additional consumer protection for individuals who have been affected by data breaches," Givens said.

Such legislation is not supported by businesses. NetChoice, a trade association of e-commerce businesses, pointed out in a blog post that retailers are also victims in data breaches, which can lead to millions of dollars in losses.

"We shouldn't resort to new legislation that penalizes the victim," Carl Szabo, policy counsel for NetChoice, wrote.

With most breaches, businesses are already punished by having to pay fines to credit card companies and reimburse banks for fraudulent charges on credit cards.

Rather than pass additional laws, the association would prefer that Congress consolidate existing state laws on data breach notification into one federal standard.

"Today, online and offline businesses face a patchwork of state laws, attorneys general and consumer organizations that play by different and confusing rules," Szabo said. "A single federal standard for data breach notification would resolve the confusion and benefit both consumers and businesses."

Join the CSO newsletter!

Error: Please check your email address.

Tags securityftcdata breachExperiandata breach notificationSecurity LeadershiplawlegislationgovernmentTargetcongress

More about Federal Trade CommissionFTCNetChoiceReuters Australia

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Antone Gonsalves

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts