Sens. Tom Carper (D-Del.) and Roy Blunt (R-Mo.) are taking aim at retailers with new legislation intended to improve safeguards for consumer information, following recent revelations about data breaches at Target Corp. and Neiman Marcus Group Ltd.
The Data Security Act [PDF], which the bipartisan duo introduced Wednesday, would require companies that accept credit or debit card payments to have policies and procedures in place to protect consumer data from hackers and act on breaches when they occur. Under the bill, businesses would have to investigate breaches and work to secure the data targeted by hackers.
Companies also would have to tell their customers and federal authorities about any breaches. And if a breach involves at least 5,000 customers, businesses must notify credit-reporting agencies, too.
The senators, who introduced similar legislation in the last Congress, said the measure would provide clarity to companies, which currently must comply with a variety of state laws on breaches. The District of Columbia, Guam, Puerto Rico, the Virgin Islands and 46 states all have differing statutes that concern breach notifications, according to the National Conference of State Legislatures.
“As the recent incidents involving Target and Neiman Marcus remind us, major data breaches that compromise consumers’ identities and financial security are becoming more routine,” Carper said in a written statement. “These recent breaches, and others before them, underscore the need for Congress to act to protect Americans against fraud and identity theft.”
The National Retail Federation, the leading trade group for domestic retailers, expressed concern about the bill.
David French, the group’s senior vice president for government relations, said the measure needs to address the U.S. bankcard industry, which he said favors magnetic-stripe cards over more secure PIN-and-chip technology.
“While the Data Security bill aims to protect consumer data, the bill carves out banks, card companies and others financial institutions, the very parties who have been primarily responsible for sustaining the currently-flawed system,” French said in a written statement. “The National Retail Federation looks forward to working with lawmakers as the process moves forward.”
The legislation follows mounting concern in Congress about the security of consumer information.
Sen. Patrick Leahy (D-Vt.), the Senate Judiciary Committee’s chairman, last week introduced the Personal Data Privacy and Security Act, a breach measure that he has offered in each of the past four Congresses. Leahy said he plans to hold a hearing this year on breaches.
In the House of Representatives, Rep. Lee Terry (R-Neb.), chairman of the Commerce, Manufacturing, and Trade Subcommittee of the Energy and Commerce Committee, intends to have a hearing in the first week of February on breaches. Officials from law enforcement agencies and Target will be among the witnesses.
Target on Jan. 10 revealed that as many as 110 million customers may have had their personal information stolen during the holiday shopping season. When the company first confirmed the breach on Dec. 19, it said the breach may have exposed as many as 40 million customers to fraud.
On Jan. 10, Neiman Marcus also confirmed that a breach occurred. But the luxury retailer has yet to say when the breach happened and how many customers it may have affected.
The Dec. 19 acknowledgement from Target and the Jan. 10 confirmation from Neiman both came after reports from data and security blog KrebsOnSecurity ( Target here and Neiman here).
Both of the companies have said they are taking steps to notify customers about the breaches and are working with law enforcement authorities.
“The security of our customers’ information is always a priority and we sincerely regret any inconvenience,” according to a tweet from Neiman Marcus.
Jason Weinstein, a Steptoe & Johnson partner and a former Justice Department official who focuses on privacy and data security issues, predicted last month that Target will face millions of dollars in legal fees connected to its breach.
“Data privacy and security class action suits have become the ambulance-chasing of the 21st century,” he wrote on Steptoe’s Cyberblog.