Massive cyber threat gives a sense of urgency to long-stalled legislation.
WASHINGTON – Computer hackers’ massive theft of customer data from Target Corp. could break a near-decade long congressional gridlock over proposals to better protect credit and debit card information.
Hearings in February will examine not only the details of how cyber thieves stole the information but also several bills to protect consumers and punish criminals.
“With a theft of this magnitude, it will change the dynamics,” said U.S. Sen. Amy Klobuchar, D-Minn. “We have to figure out something that’s actually going to be able to move the ball here and stop some of this theft.”
For years, legislative efforts to codify such things as data protection and disclosure of information theft have languished in committees because of disagreements about how far regulations should reach. It’s possible those rifts could re-emerge in the bitterly partisan Congress, but for now some members see a new sense of urgency.
To avoid a repeat of the Target breach, which exposed data from as many as 110 million customers, legislators are looking at a three-pronged approach. It would require technology improvements that make credit and debit cards more secure, and provide enhanced charges and penalties for those who steal data and stricter rules for reporting security breaches.
The Senate has four data security proposals that many in the chamber believe could be combined into a single bill that would win approval and go to the House.
The House has several cyber security bills and one breach notification bill.
Minnesota Democratic Sen. Al Franken co-sponsored the most detailed of the Senate plans, and Klobuchar supports it. Both believe the Target theft will finally secure a vote on a bill dealing with the protection of personal information.
“I can’t imagine that it wouldn’t,” Franken said, “because this is one of the biggest breaches in history.”
Three of the Senate bills aim to set minimum standards for protection of information and disclosures of data thefts.
One of those bills, offered by Sen. Patrick Leahy, D-Vt., and backed by Franken and Klobuchar, would expand the kinds of criminal charges and the length of prison sentences federal prosecutors may seek for those who steal personal information.
The bill would also make businesses comply with data “safeguards” set by the Federal Trade Commission and require companies to have data protection systems “appropriate to the size and complexity” of their operations.
Finally, the bill would require agencies and businesses “to notify any U.S. resident whose information has been accessed or acquired without unreasonable delay after the discovery of a security breach.”
The fourth Senate bill calls for “development of a voluntary, industry-led set of standards and procedures’’ to reduce the risk of cyber crime.
Franken recently wrote letters to major U.S. credit and debit card companies asking them why chip and personal ID number technology that makes cards more secure and is widely employed in Europe is not used in the United States.
“Because we don’t [use the technology], we’re clearly being targeted by hackers domestic and overseas. This is organized crime now,” Franken said. He noted that the United States conducts a quarter of the world’s credit and debit card transactions but suffers half the world’s card fraud.
Target CFO to testify
The Senate Judiciary Committee — which includes both Franken and Klobuchar and is chaired by Leahy — will question the chief financial officer of Target, John Mulligan, at a Feb. 4 hearing.
Klobuchar plans to focus on technology. “Pushing this new technology is going to be very important if we want to get ahead of the thieves,” she said.
Other members of the Minnesota delegation believe action is overdue.
“I’m a Target customer, and I’m concerned,” said Rick Nolan, a Democrat who represents the Eighth Congressional District. “Frankly, I’m not sure what to do. We need some protocols.”
Nolan pointed out that some electronic privacy laws were written in the mid-1980s and are woefully inadequate to deal with technology that seems to grow more sophisticated each week. He believes his colleagues in the GOP-run House will agree.
Since the Target theft came to light Dec. 19, Nolan said he feels “much more momentum and strongly held concern that transcends party lines.”
That unity of purpose would stand in contrast to years of partisan differences that foiled attempts to pass data security laws. “This could be a bipartisan issue,” said First District Rep. Tim Walz, a Democrat who talked of using technologies developed by U.S. security agencies to help private companies protect customer information. “We are incredibly vulnerable. To not do anything could harm the economy.”
Still, it’s hard to gauge how deep the bipartisan spirit goes. No Minnesota Republican members of the House responded to a Star Tribune request to discuss the possibility of new data security laws.
Retailers and credit card companies have lobbied against past attempts to impose stricter regulations.
But Rep. Keith Ellison, the Democrat who represents Minneapolis, where Target is headquartered, says he has “gotten a sense” from the company that it is open to efforts to improve credit and debit card technology.
“We need to work with retailers to get a systemwide buy-in to move forward,” Ellison said. “At the end of the day, it will be expensive to upgrade. But it is cheaper than getting ripped off.”
Jim Spencer • 202-383-6123