This is page 3 of:
As Federal Data Breach Bill Goes To The Full U.S. Senate, NRF Warns Of “Notice Fatigue.” Not To Worry: This Bill’s Many Loopholes Won’t Require Retail Chains To Do Much Anyway
The bill, however, does do some meaningful things to dilute prosecutions of data breaches, which is presumably the opposite of its goal. Today, the Federal Trade Commission complains—with good cause—that it has little power to punish retailers that violate its rules. The fine limits the FTC has do little to discourage bad actions from chains whose revenue is in the billions of dollars.
Leahy reported last week that new changes will “address concerns about excessive civil liability for enforcement actions brought by the Federal Trade Commission” and “concerns about excessive civil penalties for enforcement actions brought by the Attorney General and the Federal Trade Commission.”
Not to worry, though; state attorney generals can always move in, because they have more fine options than does the FTC. Right? Not if this bill is passed. It specifically prohibits states from prosecuting cases where the feds are involved. So the same bill that sharply limits what the feds can do with data breach violators also prevents the states from getting involved?
But wait, it gets better. If the goal of the criminal is identify theft—as opposed to direct credit-card fraud—there’s a ton of extremely useful information in retail databases. Alas, the bill’s current version goes out of its way to exclude any CRM data theft.
The personally identifiable data is referred to in the bill as a consumer’s “personal electronic record,” which it defines as data associated with an individual contained in a database, networked or integrated databases, or other data system that is provided by a data broker to nonaffiliated third parties and includes personally identifiable information about that individual.” Makes sense. But the next line is the chief exclusion.
“The term ‘personal electronic record’ does not include any data related to an individual’s past purchases of consumer goods or any proprietary assessment or evaluation of an individual or any proprietary assessment or evaluation of information about an individual.” Well, so much for CRM files.
One of the tougher–sounding provisions of the bill is personal responsibility—backed up with a threat of five years in prison—for anyone who knows of a breach and “intentionally and willfully conceals the fact of such security breach.”
At first blush, the bill sounds like it’s threatening retail IT employees with prison if they don’t report breaches. But it doesn’t really go there. To begin with, “intentionally and willfully concealing” is quite different from not volunteering. This would cover an IT manager who personally forged security logs to keep IT management and the government in the dark about a breach. But it’s not suggesting prison time for someone who fails to report a breach.
And even if someone did hide a breach, almost no retail breaches would be relevant anyway. The bill limits that exposure to breaches where “economic harm to any individual in the amount of $1,000 or more.” As the TJX and Hannaford breaches made clear, payment card zero-liability rules make it just about impossible for consumers to have any significant out-of-pocket costs and certainly not $1,000 or more.
Had that provision spoken of losses to retailers of $1,000 or more—alert costs, security fixes, reissuing of payment cards, etc.—and used that to define a serious breach, this would be a very different bill.
Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code.
-Marc
