Congress at Odds Over Data BreachesBy Caron Carlson
Despite a steady stream of data breach disclosures this year
"We need to do everything possible to ensure that our personal information re-mains privileged and protected when we make any financial transaction," said Rep. Sue Kelley, R-N.Y., chairman of the financial services committee's Subcommittee on Oversight and Investigation, who held a hearing Thursday to examine the CardSystems incident.
However, some members remain reluctant to impose any new regulations at all, contending that the marketplace will compel security improvements.
"Government intervention may hurt," said Rep. Patrick McHenry, R-N.C. "If the marketplace is going to deal with this, let's monitor it, let's watch it."
The marketplace responded swiftly last week to the CardSystems disclosures, as American Express and Visa Inc. canceled their contracts with the Atlanta-based credit card processing company.
As of Thursday, Mastercard International Inc., which had approximately 68,000 accounts compromised in the breach, has given CardSystems until Aug. 31 to comply with its data security requirements, according to Joshua Peirez, senior vice president and associ-ate general counsel at Mastercard.
John Perry, CardSystems president and CEO, told members of Congress that his company faces "imminent extinction" if the credit card companies do not reconsider their decisions to cancel their contracts.
"CardSystems is being driven out of business," Perry said at a hearing before the House Committee on Financial Services, adding that hundreds of merchants will be left in the lurch if the company closes.
Visa, which had approximately 22 million card numbers put at risk in the CardSystems breach, agreed to meet and discuss the situation with CardSystems, Perry said.
Within the House Financial Services Committee alone, three separate data pro-tection bills have been introduced, including two similar measures launched last week. Among the proposals are security requirements that resemble the safeguards imposed un-der the Gramm-Leach-Bliley Act. CardSystems was not supposed to maintain personally identifying data and therefore was not subject to GLBA requirements. However, the com-pany did hold that type of data in error.
All of the pending bills address the breached entity's responsibility to notify consumers of risk, but they differ in how much risk should be likely before notification is required. Some of the measures seek to mirror California's data breach notification law, which ex-empts companies that encrypt their data.
Another difference in the pending bills centers on whether federal legislation should pre-empt state laws, a provision that data holders are pressing for. Asked by Rep. Artur Davis, D-Ala., whether a federal ID theft law should pre-empt a state's general breach of contract or tort laws not specific to data theft, Visa's Ruwa said yes.
"Visa would support a national level approach," Ruwa said.
Check out eWEEK.com's for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzer's Weblog.