Despite a steady stream of reported data thefts this year—most recently by CardSystems Solutions Inc.—members of Congress are unable to agree on how to combat the growing threat to consumer privacy.
The roster of divergent potential solutions grew again Thursday.
“We need to do everything possible to ensure that our personal information remains privileged and protected when we make any financial transaction,” said Rep. Sue Kelley, R-N.Y., chairwoman of the financial services committee’s Subcommittee on Oversight and Investigation, which held a hearing Thursday to examine the CardSystems incident.
But some members remain reluctant to impose any new regulations at all, contending that the marketplace will compel security improvements.
“Government intervention may hurt,” said Rep. Patrick McHenry, R-N.C. “If the marketplace is going to deal with this, let’s monitor it, let’s watch it.”
The marketplace responded swiftly last week to the CardSystems disclosure; both American Express and Visa Inc. canceled their contracts with the Atlanta-based credit card processing company.
As of Thursday, MasterCard International Inc., which had about 68,000 accounts compromised in the breach, has given CardSystems until Aug. 31 to comply with its data security requirements, according to Joshua Peirez, senior vice president and associate general counsel at MasterCard.
John Perry, CardSystems president and CEO, told members of Congress that his company faces “imminent extinction” if the credit card companies do not reconsider their decisions to cancel the contracts.
“CardSystems is being driven out of business,” Perry said at a hearing before the House Committee on Financial Services, adding that hundreds of merchants will be left in the lurch if the company closes.
Visa, which had about 22 million card numbers put at risk in the CardSystems breach, agreed to meet and discuss the situation with CardSystems, Perry said.
Within the House Financial Services Committee alone, three separate data protection bills have been introduced, including two very similar measures launched last week. Among the proposals are security requirements that resemble the safeguards imposed under the GLBA (Gramm-Leach-Bliley Act).
CardSystems was not supposed to store data that could be used to identify individuals, and therefore was not subject to GLBA requirements. But the company did hold that type of data.
All of the pending bills address the breached entity’s responsibility to notify consumers of risk, but they differ in how much risk should be required before notification is required. Some seek to mirror California’s data-breach notification law, which exempts companies that encrypt their data.
Another difference in the pending bills centers on whether federal legislation should pre-empt state laws, a provision which data holders are pressing for. Asked by Rep. Artur Davis, D-Ala., whether a federal ID theft law should pre-empt a state’s general breach of contract or tort laws not specific to data theft, Visa’s Ruwa said yes.
“Visa would support a national-level approach,” Ruwa said.