Credit and debit card payment data breaches by hackers in recent months have exposed millions of consumers of retailers including Target, Neiman Marcus, Michaels Stores and White Lodging, which is the parent company of hotel brands including Courtyard and Hampton Inn.
Legislators are considering new approaches for retailers to beef up data security, as observed on Wednesday during a hearing by House Energy and Commerce Committee Chairman Fred Upton, R-Mich.
"We must consider whether the current multilayer approach to data security – federal, state, and industry self-regulation – can be more effective, or whether we need to approach the issue differently," Upton said in his prepared remarks.
Stricter requirements for companies to notify consumers to protect themselves after data breaches was a solution pitched during the hearing by Rep. Lee Terry, R-Neb. Approximately 47 percent of the fraudulent credit and debit losses worldwide occur in the U.S., even though it Americans conduct only 30 percent of the transactions, Terry said.
“I am working on legislation that would foster quicker notification by replacing the multiple – and sometimes conflicting – state notification regimes with a single, uniform federal breach notification regime,” Terry said in his opening statement.
Retail lobbying groups including the National Retail Federation have opposed data security bills in recent years out of fear that new digital security regulations could be expensive to comply with and ineffective because hackers could adapt to government standards. Terry alluded to that concern when he said, “cumbersome statutory mandates can be ill equipped to deal with evolving threats.”
The NRF does, however, support uniform federal rules for businesses to notify customers about data breaches to simplify the existing state-by-state model.
During the hearing Wednesday, Federal Trade Commission Chairwoman Edith Ramirez also called for a strong federal data security and breach notification law, repeating her agency’s increasing ambitions regarding digital privacy.
“With reports of data breaches on the rise, and with a significant number of Americans suffering from identity theft, Congress needs to act,” Ramirez said.
Congress should consider strengthening the FTC’s authority to punish unfair business practices so the agency can push for retailers to improve security, said Sen. Elizabeth Warren, D-Mass., on Monday during a hearing of the Banking, Housing and Urban Affairs Subcommittee on National Security, International Trade and Finance.
"Data-security problems aren't going to go away on their own, so Congress seriously needs to consider whether to strengthen the FTC's hand," Warren said.
Sen. Dianne Feinstein, D-Calif., also introduced the Data Security and Breach Notification Act on Jan. 30.
“The recent string of massive data breaches proves companies need to do more to protect their customers,” Feinstein said in a release.
Retailers spend 4 percent of their technology budgets on security, less than the 5.5 percent spent by banks and 5.6 percent spent by health care companies, according to technology research firm Gartner.
Government agencies are also lagging behind on some basic safeguards including stronger passwords and timely patches and updates to security software, according to a report published on Tuesday by Sen. Tom Coburn, R-Okla., ranking member of the Homeland Security and Governmental Affairs Committee. In the report, Coburn details epic fails in government cybersecurity, including a case from February 2013 when hackers broadcast warnings of the zombie apocalypse to several cities using the U.S. Emergency Alert System.
“Weaknesses in the federal government’s own cybersecurity have put at risk the electrical grid, our financial markets, our emergency response systems and our citizens’ personal information,” Coburn said in a statement, citing audits and reviews from agencies including the Government Accountability Office.