March 6, 2014
Silver Linings: Target’s Data Breach Could Lead to New Consumer Protections
For Target Corporation, December 2013 was an utter disaster. Just before Christmas, the company revealed that hackers had stolen personal information for as many as 110 million of its customers. From November 27th until December 15th, hackers accessed customers’ credit and debit card numbers, names, phone numbers, mailing addresses, and email addresses. The breach was one of the largest in history.
Unfortunately for consumers, the Target breach was not an isolated incident (see Neiman Marcus), and the problem will only grow in the future. Fran Rosch, a senior executive at the cyber security company Symantec, cautions that “the threat is exploding and so are the attacks.”
On February 4th, retailers spoke before a U.S. Senate panel in the hopes of finding a solution to the problem. One possible solution discussed during the panel was the implementation of EMV systems, which are widely used in Europe to prevent credit card fraud. These systems essentially replace the magnetic stripes found on credit cards with a small chip embedded in each card. The chips are nearly impossible to counterfeit, making stolen data far less valuable.
Retailers have been reluctant to utilize this tool partly due to the costs of replacing their current card reading machines. However, pressure has begun to mount – from consumer groups, to credit card companies, and now the U.S. Senate.
Unwilling to wait for retailers to find their own solutions, the Obama administration is advocating a uniform national standard that requires businesses to quickly report thefts of electronic personal information…
Unwilling to wait for retailers to find their own solutions, the Obama administration is advocating a uniform national standard that requires businesses to quickly report thefts of electronic personal information to the federal government and to consumers. Notification would allow law enforcement to “pursue and catch the predators.” Additionally, notification would allow consumers to take preemptive action against misuse of their personal information, such as obtaining a new debit card number.
Many states already have notification laws, however, a “strong and consistent national requirement would simplify compliance by business while ensuring that all consumers are protected,” according to Federal Trade Commission (FTC) Commissioner Edith Ramirez. In addition to notification requirements, Ramirez would like Congress to pass a law that allows the FTC greater authority to bring cases and force businesses to adequately protect their customers. Senator Elizabeth Warren, who has questioned whether the FTC currently has adequate authority to do so, echoed this sentiment. Currently, the FTC has the power to punish “unfair business practices.” The FTC has attempted to use this vaguely worded power to go after companies for failing to secure data. However this practice has been challenged by multiple businesses, and it remains unclear whether it is legal under current law.
Congress should strongly consider passing legislation that requires businesses to notify consumers when breaches occur, and ought to specifically authorize the FTC to enforce it. While this type of comprehensive legislation is unlikely to come quickly or easily, the February 4th Senate hearing was a step in the right direction. By bringing attention to the issue, Congress and the President have not only put pressure on businesses to improve their data protection, but have also alerted the public to remain vigilant while businesses and government adapt to evolving cyber security threats.