[BreachExchange] Banks battle retailers over proposal to disclose consumer hacks

[Audrey McNeil]

https://www.americanbanker.com/articles/banks-battle-
retailers-over-proposal-to-disclose-consumer-hacks?tag=
00000154-4da2-d45e-a175-6fbf03b40000

Banks and retailers are sparring over whether financial firms should follow
a new national standard to quickly notify consumers when they've
experienced a data breach.

Equifax said last week that it would notify an additional 2.4 million
consumers who were hacked during its massive data breach in 2017 — but a
draft of a House bill with bipartisan support would exempt the
credit-reporting agency from the new requirements.

The proposal, backed by Reps. Blaine Luetkemeyer, a Missouri Republican,
and Carolyn Maloney, a New York Democrat, would establish a federal mandate
for when and how certain companies, like retailers, tell customers about a
data breach. Financial institutions, would be exempt, because they already
have to adhere to the 1999 Gramm-Leach-Bliley Act, which establishes
privacy protections for consumers, according to Luetkemeyer's office.
Equifax falls under that category because it collects sensitive financial
information.

Despite multiple efforts in recent years, no bills have been passed that
would establish a national standard for data breach notification. The
Luetkemeyer-Maloney proposal is already drawing critics among consumer
advocates.

The legislation as currently drafted is "the worst of both worlds," said
Mike Litt, consumer campaign director of the consumer advocacy group U.S.
PIRG. "You are creating a national standard that exempts a company like
Equifax or at the very least leaves it uncertain what their obligations
are, which is disappointing."

U.S. PIRG along with the Consumer Federation of America have said that any
federal legislation should include financial institutions and clear the way
for states to pass even tougher notification requirements.

'Piecemeal fashion'

Lawmakers have been pushing for a national standard following high-profile
cyberattacks on Equifax, Uber and Yahoo, which compromised the personal
information of millions of Americans. House and Senate panels have held
hearings in recent months, with another one scheduled for Wednesday by a
House Financial Services subcommittee to discuss proposals to reform data
security and breach notification laws.

Pressure mounted last week after Equifax said it was belatedly notifying
the additional consumers whose identities had been stolen last year because
it had been unable to confirm who they were at the time since only partial
driver's license information was taken.

"While I credit Equifax for continuing to examine the scope of its massive
data breach that lost sensitive personal and financial information, the
company should have acted sooner to mitigate the impact on these additional
affected consumers," Sen. John Thune of South Dakota said in a statement.
"Equifax needs to put consumers first and shouldn't be trying to clean up
its mess in a piecemeal fashion."

Now, there's no federal breach notification standard for nonfinancial
companies. Instead, they follow a patchwork of notification laws in 48
states, which can vary in the amount of time companies have to disclose any
breach and who they're required to notify. Companies may argue they need
time to track down the extent of the breach and repair it before disclosing
it to consumers to prevent additional hacks.

Luetkemeyer's bill would require companies to "immediately notify without
unreasonable delay" customers when there's a risk a data breach could
expose them to identity theft or fraud. The proposal, which would preempt
state laws, also requires businesses to inform the Secret Service or the
Federal Bureau of Investigation if the breach affects more than 5,000
consumers.

"For each state with robust consumer protection laws on the books, there
are many others with extremely weak protections," Luetkemeyer said in a
statement. "Under my draft legislation, a breached entity is required to
notify consumers immediately if their personal information has been
accessed and law enforcement has approved. This standard is not required
under current law, but the reason for immediate notification is simple:
consumer protection."

'Swiss cheese notification'

Luetkemeyer's proposal also requires companies to take preventative
measures to protect the security and confidentiality of information that
are appropriate given the size of the business and the sensitivity of its
data. For instance, a pizza parlor wouldn't have to take the same
precautions as a major mobile app storing sensitive payment information.

Lawmakers have tried to pass national data breach notification laws for
years. After news of a cybersecurity attack at Target Corp. broke in 2013,
lawmakers over the next few years offered an array of bills or amendments
addressing data breaches, but not one passed.

David French, the senior vice president for government relations at the
National Retail Federation, said the group supports a national standard,
but thinks financial firms should be included since the Gramm-Leach-Bliley
Act predates modern cybersecurity vulnerabilities.

"If you do a Swiss cheese notification structure, where only some
businesses are required to notify and not all, then the consumer doesn't
really know who is putting their data at risk," French said.

'Acceptable leaks'

The National Retail Federation is backing an advertising campaign over
radio and on digital platforms in the Washington area to push for all
industries to be included in a new standard, according to French.

Lobbying groups for banks and credit unions, including the American Bankers
Association and Financial Services Roundtable, argue that they are already
required to follow rigorous data protection and breach notification
practices.

Advocates point to guidance from the Federal Deposit Insurance Corp., which
instructs financial institutions to notify customers when their personal
information has been illegitimately obtained and could be misused.

"Banks are required to maintain highly secure systems, while other sectors
have no federal standards," Jess Sharp, senior vice president for the
American Bankers Association, said in a statement.

"It's like delivering water through a pipe but saying it's acceptable for
some sections to leak. Those weak spots are where consumers get hurt."
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180308/0cb4c221/attachment.html>