Do We Have a Data Security Crisis in America?

On Monday, I tweeted (@dennisEFTA) my thankfulness for Congress being on recess as news broke on the Global Payments data breach. The saying goes Congress does two things: nothing or overreact. Nothing spells public policy disaster more than Congress overreacting to a perceived crisis (see Sarbanes-Oxley).

Do we have a data security “crisis” in America? I certainly do not possess the proper expertise in this area to give a good answer. FBI Director Robert Mueller recently told attendees at a RSA security conference in San Francisco that two companies exist in America: those that have been hacked and those who will be. We know when these breaches occur because most states have laws requiring companies to notify authorities and consumers when sensitive, personal information is unduly accessed or lost. At this writing, Congress has not acted on a national data breach notification bill.

This may change, however. We certainly do not have a shortage of cyber-security, data security and breach notice bills before the Congress. In fact, Congress has not passed any bill over the years due to overlapping jurisdiction and committees. Is data protection a commerce issue, a technology issue, a homeland security issue or a judicial issue? April 23 begins cyber-security awareness week in Washington. The House of Representatives leadership has difficult choices ahead on what bill to bring to the Floor for a vote. On the Senate side, the competition is between the Lieberman-Collins’ approach of possible government control over “critical infrastructures” and the McCain proposal to allow greater information sharing between the public and private sectors. And, has data security and breach notification taken a back seat to these larger cyber-security proposals?

While Congress struggles to untangle the jurisdictional mess, where is the American consumer in this debate? I speculate the real reason Congress has not enacted data security legislation is the lack of demand from the American public. We hear news reports of data breaches all the time. Some even receive letters from companies that their personal data has been lost or unduly accessed. Survey data suggest Americans are still very concerned about identity theft and conducting financial transactions over the Internet. I do not sense, however, Americans are expressing outrage to Members of Congress. Is one reason why most data breaches do not actually result in harm to the consumer? And, if financial harm does occur like unauthorized transactions on a stolen credit card, do Regulation E protections blunt consumer outrage?

I wish I had a good answer as to whether President Obama will sign any meaningful data security legislation into law by year’s end. Meantime, I can confidently write EFTA members spend great time, effort and resources protecting the billions of sensitive, financial records in their possessions. It’s the law (Gramm-Leach-Bliley’s Safeguards Rule), but it’s also good business and the right thing to do for the America consumer.

-Dennis