To listen to some House Republicans at the Target hearing Wednesday, and the Senate Republicans on Tuesday, one would be forgiven for thinking that the massive data breaches experienced by customers of Target, Neiman Marcus and the hotel management chain White Lodging were serious enough to warrant two Congressional hearings (and one more to come), but not a single change to federal law.
Responding to Senate Democrats' interest in a new federal breach notification law, which would require companies to notify people in a uniform way if their personal data was lost or stolen, Sen. Charles Grassley (R-Iowa) said, "Overnotification can lead to harm and apathy" -- just moments before Sen. Dianne Feinstein (D-Calif.) told the room that she had been affected by one of the data breaches but had yet to receive any notice.
The House committee's Privacy Working Group co-chair, Rep. Marsha Blackburn (R-Tenn.) seemed entirely unconvinced that any new legislation was necessary, suggesting that the House might only have to decide how to "take the rules on the books for the physical space and apply them to the virtual space to encourage commerce" -- even though she acknowledged how concerned her constituents remained about their own security.
The Right to Know
It's not as though these breaches are the first to affect millions of Americans and, rest assured, they won't be the last. Data breaches are destined to join death and taxes as the third certainty in life, as a new Javelin survey this week shows. Javelin's numbers indicate that 2013 was the second most prolific year for identity thieves in recent history, with a near-record 13.1 million Americans being affected to the tune of $18 billion -- an increase of 500,000 victims over 2012.
But it's only going to get worse for people -- between the slow crawl by retailers and card issuers to make the requisite investment to replace the ubiquitous, less-secure magnetic stripe cards and readers with a fully-functional chip-and-pin smartcard system that provides a heightened level of security, and the exponential increase in the technological sophistication of hackers determined to maximize the take from their criminal activities.
Americans have the right to know when their financial lives have been put at risk by one of the many organizations that collect and maintain their data -- be that medical information, personally identifying information and/or financial information. But currently, each state has a different law (if they have one at all), making notifications more difficult for especially small organizations to handle correctly -- and they all require companies to reveal different things in different ways, making it hard for consumers to understand how they might or might not really be affected.
As Sen. Feinstein noted, some in the business community have been fighting against federal breach notification standards for years, even as the number of breaches and the number of Americans affected by each breach has skyrocketed. In the past two months, it's possible that fully half of this country -- or more -- has been snared in one of the breaches that have made the nightly news, and those are just the ones about which we know.