Legislators Split on Data Privacy Laws

Despite a steady stream of data breaches this year-most recently at CardSystems Solutions Inc.- members of Congress are unable to agree on how to combat the growing threat to consumer privacy, and the roster of divergent proposals grew again las

Despite a steady stream of data breaches this year—most recently at CardSystems Solutions Inc.— members of Congress are unable to agree on how to combat the growing threat to consumer privacy, and the roster of divergent proposals grew again last week.

"We need to do everything possible to ensure that our personal information remains privileged and protected when we make any financial transaction," said Rep. Sue Kelly, R-N.Y., chairman of the U.S. House Committee on Financial Services Subcommittee on Oversight and Investigations. Kelly chaired a hearing last week to examine the CardSystems incident.

However, some in Congress remain reluctant to impose any new regulations at all, contending that the marketplace will compel security improvements.

"Government intervention may hurt," said Rep. Patrick McHenry, R-N.C. "If the marketplace is going to deal with this, lets monitor it, lets watch it."

The marketplace responded swiftly last week to the CardSystems disclosures, as American Express Co. and Visa USA Inc. canceled their contracts with the Atlanta-based credit card processing company. As of July 21, MasterCard International Inc., which had approximately 68,000 accounts compromised in the breach, has given CardSystems until Aug. 31 to comply with its data security requirements, according to Joshua Peirez, senior vice president and associate general counsel at MasterCard, in Purchase, N.Y.

CardSystems revealed in June that a hack of its network had exposed data on as many as 40 million credit card accounts, with more than 200,000 accounts put at high risk of theft. The company acknowledged it had been keeping transaction data on its network for research purposes, a violation of PCI (Payment Card Industry) data security requirements.

John Perry, CardSystems president and CEO, told members of Congress that his company faces "imminent extinction" if the credit card companies do not reconsider their decisions to cancel their contracts. "CardSystems is being driven out of business," Perry said at the hearing, adding that hundreds of merchants will be left in the lurch if the company closes.

Visa, which had approximately 22 million card numbers put at risk in the CardSystems breach, agreed to meet and discuss the situation with CardSystems, Perry said.

Within the House Committee on Financial Services alone, three separate data protection bills have been introduced, including two very similar measures launched last week. Among the proposals are security requirements that resemble the safeguards imposed under the GLBA (Gramm-Leach-Bliley Act). CardSystems was not supposed to maintain personally identifying data and therefore was not subject to GLBA requirements. However, the company did hold that type of data in error.

All the pending bills address the breached entitys responsibility to notify consumers of risk, but they differ in how much risk should be likely before notification is required. Some seek to mirror Californias data breach notification law, which exempts companies that encrypt data.

Another difference in the pending bills centers on whether federal legislation should pre-empt state laws, a provision that data holders are pressing for. Asked by Rep. Artur Davis, D-Ala., whether a federal identification-theft law should pre-empt a states general breach of contract or tort laws not specific to data theft, Steve Ruwe, Visas executive vice president for operations and risk management, said yes.


Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.