The still rather murky story about an unnamed retailer compromising thousands of customer debit card accounts is just one more in a remarkable string of security breaches we've all heard about over the last year. But don't be surprised if Congress soon puts a stop to it. Not the security breaches themselves, mind you, but our getting to hear about them.
Starting almost exactly a year ago with the ChoicePoint breach, we've been treated to revelation after revelation from companies forced to admit security lapses that exposed their customers -- or, all too frequently, somebody else's customers -- to possible identity theft. One of the reasons I find the debit card breach story interesting, though, is how clouded the story remains days after San Francisco Chronicle columnist David Lazarus first started probing it. It's still not completely clear which retailers, banks, and other financial institutions were involved, which means it's not clear whose customers might be at risk.
It's also interesting that this is happening in California. Of course, it is California's SB 1386, the Security Breach Information Act of 2003, that led to all of these security breach revelations in the first place, as companies doing business in California are required under that law to warn customers whose information was exposed. Perhaps in this case it's just a matter of the investigation not being far enough along for the institutions involved to be sure which customers need warning. But resistance to the disclosure standards of SB 1386 has been mounting in the financial industry, as we saw when banks like Chase refused last June to notify customers whose data had been exposed by CardSystems.
Not surprisingly, when big corporations start questioning whether all this disclosure of security breaches is really necessary, they find many in Congress willing to give them the answer they want. Their answer is H.R. 4127, the Data Accountability and Trust Act. As Roger Grimes' excellent analysis pointed out when the bill was approved at the subcommittee level, the proposed law is far from the privacy protection bill its supporters pretend it to be. Rather than emulating California's privacy law, the DATA act would preempt SB 1386 and similar privacy laws enacted in other states. It would also essentially leave it up to the company that suffers the data breach to decide if the risk is great enough to warrant disclosure to the public.
As Grimes observes, there are some disturbing parallels between the DATA Act and the proven failure known as the Can Spam Act of 2003. Like Can Spam, the Data Accountability and Trust Act pretends to get tough with Internet criminals while actually undercutting tougher state laws. But the DATA bill is worse. Although many state anti-spam laws were certainly better than the Can Spam Act, none of them showed signs of really making an important difference against the spam plague. In contrast, California's SB 1386 has been extremely effective at focusing attention on those companies who put our personal information at risk and in general just revealing how big the data security problem really is. After all, how many of the ChoicePoints and CardSystems do you think we would have heard about this last year if it had been left to those companies to decide if we really needed to be warned about their security breaches?
Hopefully the full story of the debit card breach will soon be disclosed, whether the companies involved want it to come out or not. And no doubt some in Congress will then once again claim they have the answer to the security problem, and it's the DATA act or something very much like it. So consider dropping a note to your Representative disclosing how much you would prefer Congress not mess with state laws that are at least shedding a little light on a situation where far too many companies wish to keep us in the dark.
12:47:30 AM 
|
|
