Newsroom

June 30, 2011

Senate committee weighs data security standards

July 1, 2011– A bill that would require retailers and other entities that collect sensitive data to follow certain procedures for protecting customers' sensitive information was well received by a majority of witnesses at a Senate committee hearing on data security Wednesday.

S.1207, the Data Security and Breach Notification Act, would not only put in place national requirements for such procedures, but would instruct entities as to what steps they must follow in notifying customers of a data breach. It would also provide for greater transparency when sensitive data are compromised.

The bill was a focal point at the hearing, held by the Senate Committee on Commerce, Science, and Transportation. Committee Chairman John Rockefeller, D-W.Va., who introduced the bill, along with Sen. Mark Prior, D-Ark., said the bill is needed to address the rash of data breaches that continue to plague consumers and businesses.

U.S. Department of Commerce General Counsel Cameron Kerry said there is support for such legislation from the retail, technology and international trade sides of the business community. He said such a bill would be in their interest because it would address the "trust issue." With every breach, he said, companies face an increased risk of that trust eroding. Many companies have business models that work to maintain customer trust, he said, and requiring companies to follow certain national standards "is what the private sector needs."

Federal Trade Commission Commissioner Julie Brill pointed out that some recent security breaches have shown companies are failing to follow even basic security measures. In discussing Sony Network Entertainment International's recent breach, the company's President Tim Schaaff acknowledged that he felt responsible for what happened. Immediately following the breach, Sony shut down operations, issued free identity theft and credit check subscriptions to those affected, and upgraded its data security procedures.

Though Kerry said that he believed S.1207 would be successful in adopting a national breach notification system, Schaaff expressed concerns that it could led to a series of over notifications and "false alarms" that would ultimately be ignored.

While credit unions and other financial institutions must follow a strict set of standards under the Gramm-Leach-Bliley Act to keep sensitive data secure, no such requirements exist for retailers, merchants and others who collect and hold sensitive information. NAFCU believes that the current regulatory imbalance relating to data security needs to be corrected. Credit unions have been forced to suffer steep losses in re-establishing member safety after a data breach, including in instances where the retailer's failure to protect sensitive financial information was explicitly identified.