High Profile Data Breaches Spur Legislative Action on Cyber Security

After a spate of high-profile data security breaches, many legislators, businesses, and consumers are asking what can be done to prevent such security lapses and who should be held responsible. The increased attention to data security has led to a flurry of recent activity in state legislatures and in Washington.

Legislative Action in California

Earlier this year, California lawmakers proposed changes to the state’s Data Breach Notification law that would have made retailers liable for customers’ financial losses after a data breach. The bill has been scaled back since it was first introduced, but it would still hold retailers responsible for the costs of credit monitoring services after a data breach. Specifically, if a retailer was the source of the data breach, the bill would require the business to offer identity theft prevention and mitigation services at no cost to the affected customer for a minimum of 12 months. The bill passed the California Assembly in May and is currently pending a final vote in the state Senate.

California lawmakers also introduced a bill this year that would have required credit and debit card companies to switch from magnetic strip technology to microchip technology. Proponents of the bill argued that such a change is necessary to deter identity theft and credit card fraud and noted that the US is one of the last developed countries that still relies on magnetic strip technology. The microchip technology embedded in the payment card makes the cards nearly impossible to counterfeit and allows for additional security precautions not possible through use of a magnetic strip alone. The bill was approved by a California Senate committee in May, but was withdrawn from consideration after opponents of the bill raised concerns about the cost of the changeover and its potentially disruptive impact on interstate commerce.

A Potential Thaw on Cyber Security in Washington

The US Senate Select Committee on Intelligence approved a bill on July 8, 2014 that would encourage companies to share computer threat data with the US government. Among other things, the bill would create liability protections for companies that appropriately monitor their computer networks and share cyber information with the government. The bill would also authorize companies to monitor their own computer networks and those of their consenting customers for cyber threats and to implement countermeasures to block those threats. In an attempt to alleviate the concerns of privacy advocates, the bill would direct companies to take “appropriate measures” to protect against the sharing of personally identifying information. Nonetheless, critics have argued that, while there is a clear need for federal cyber security legislation, this proposal doesn’t do enough to protect Americans’ privacy.

Trade Associations Propose Their Own Solution

The Retail Industry Leaders Association (RILA), a trade association that includes retailers, such as Apple, CVS, and Gap, announced a new initiative in May aimed at combating data theft. The centerpiece of the new effort is an organization called the Retail Cyber Intelligence Sharing Center, which will allow retailers to share cyber threat information among themselves and with the US government. According to RILA, the organization is comprised of members from across the retail and merchant spectrum and will include an information sharing and analysis center, an education and training group, and a research arm.

What Does All This Mean for Business?

As more companies collect a growing amount of data on consumers, the pressure for new regulation is likely to grow. Even if they aren’t adopted or implemented in the immediate term, businesses should consider how such changes could impact their business and begin to plan for the possibility, or likelihood, of greater regulatory scrutiny in the years to come.

Contacts

Continue Reading