Retail, financial services divided on federal data standard bill
Executives from the financial services, retail and e-commerce industries were split Thursday on whether a federal data protection standard could better shield consumers and companies from having their information stolen.
The disagreements surfaced Thursday during a House Financial Services Committee hearing on the Data Security Act. Introduced last week, the bill would hold financial services and retailers to the standards set by the Gramm-Leach-Bliley Act, which forces financial institutions to safeguard sensitive data and explain their information-sharing practices to their customers.
Brian Dodge, an executive vice president with the Retail Industry Leaders Association, told the committee that Gramm-Leach-Bliley is too broad of a rule for the range of businesses in the retail sector.
‘If Congress were to pursue legislation that shoehorned the Gramm-Leach-Bliley Act into the rest of the business community, it would go beyond the retail industry,’ Dodge told the committee, adding that the Federal Trade Commission has sufficient ability to oversee the retail industry. ‘We don’t think you can regulate your way to security. We need to start with the baseline that is a strong standard and emboldens the FTC to enforce these standards.’
Tim Pawlenty, the CEO of the Financial Services Roundtable, was supportive of the bill, saying the standards in the Gramm-Leach-Bliley Act are flexible enough to cover all sizes of financial service institutions and can be scaled across other private sectors. He also added that the Data Security Act sets an important national standard in the face of data security laws that can vary from state to state.
‘We’re only as strong as the weakest link in the chain,’ Pawlenty said. ‘It doesn’t make a lot of sense to have 50 different standards and 50 different responses.’
Laura Moy, senior policy counsel with New America’s Open Technology Institute, expressed some reservations about a federal standard, saying that it needs to be flexible and serve as a ‘floor, not a ceiling’ for states that have their own robust data standards.
Any data legislation ‘would need to provide an agile mechanism to match developing technology and new threats,’ Moy said. ‘We can’t always forecast the next big threat years in advance, but we know that there will be one.’
A forthcoming threat that was discussed during the hearing was how the move to EMV cards, better known as chip-and-PIN cards, will affect what companies would be liable for in breaches or cases of identity fraud.
Pawlenty and Dodge agreed that more could be done but diverged on how their industries could enhance security practices. Dodge argued that card issuers should be forced to use both chip and PIN measures when card companies switch to EMV standards in October. Currently, card holders will not be required to use a PIN with their EMV cards.
‘Retailers believe that American consumers deserve the best available card security and that deploying the two-factor authentication enabled through chip and PIN will prevent criminals from duplicating cards with ease, devaluing the data that retailers collect at the point of sale and ultimately reducing cyber-attacks on retailers,’ Dodge wrote in his testimony.
Pawlenty, along with Stephen Orfei, general manager of the PCI Security Standards Council, said that other measures like biometrics, tokenization and end-to-end encryption are moving the industry away from any card-based protections. Orfei added that any security implementations are weak unless their standards are followed.
‘Applying our standards is the best line of defense,’ he said. ‘When bundled and implemented properly, the data is useless and there is no reason to break in.’
Rep. John Carney, D-Del., who co-sponsored the bill with fellow committee member Rep. Randy Neugebauer, R-Texas, said a solution needs to be discovered quickly, because the patchwork of state laws is failing to protect companies and consumers.
‘We think consumers and the companies that handle their personal financial data should know the rules of the road when it comes to protecting this data,’ Carney said. ‘The fact is that the White House, Congress and consumers agree that the status quo isn’t working.’