Lawmakers, experts wrestle with data protection bill

“I’ve come to think of this issue as a threat to the national security infrastructure of the United States of America,” Tim Pawlenty, former Minnesota governor and CEO of the Financial Services Roundtable, told a congressional committee May 14.

The issue: data security.

Pawlenty and four other panelists testified before the House Financial Services Committee in a hearing that included debate on a data security bill, a major disagreement over the roles states should play (with Democrats uncharacteristically pushing federalism), and a senior lawmaker – who in the interest of guarding against identity theft should have known better -- pulling his own credit cards out and waving them around for the cameras as he asked questions about credit card fraud.

“I hope no one can read that,” New Jersey Republican Scott Garrett said after several minutes of displaying the numbers on television.

Much of the discussion centered on how incredibly vulnerable Americans are to data breaches – multiple panelists said half of all American adults had personal information exposed in hacks last year alone – and how if hackers were to disable the electronic payments system or power grid, the results would be calamitous.

“This is no longer college kids in their basements trying to have some fun trying to get into systems,” noted Pawlenty, saying state-affiliated actors from Russia, China and Iran are among those perpetrating high-profile data breaches.

Some 80 percent of consumers who had their personal information hacked in 2014 didn’t even know they’d been exposed, Pawlenty said.

Hacked businesses often didn’t discover breaches for months.

To fight this widespread ignorance, the legislation by Texas Republican Randy Neugebauer contains provisions requiring businesses -- banks, merchants and others -- to investigate potential breaches and alert the government and affected consumers upon discovery.

But while many lauded the measure – Pawlenty called it an “excellent piece of work” – others cautioned that it would actually weaken protections in some states with tougher laws on the books.

The bill would preempt existing state laws on data security and notifications for consumers when breaches occur.

Laura Moy, senior policy counsel at the Open Technology Institute, warned that a preempting federal law could stunt state creativity in addressing cybercrime. Thirteen states already have data security laws, with Massachusetts’ and California’s being especially rigorous, Moy said.

And, while breaches that involve millions garner headlines, she noted that data breaches affect an average of 74 consumers, meaning the Federal Trade Commission would likely not investigate many cases.

This issue of scale, she said, makes state attorneys general crucial players in data security, and she urged the committee not to cut them out of the process with a one-size-fits-all approach.

Moy was the sole voice on the panel expressing substantial criticism of Neugebauer’s bill, though several members of the committee also voiced concerns.

“Heck, I’m a liberal Democrat, I’m all for regulation,” said Michael Capuano (D-Mass.). “[But] most members of Congress, we’re not technologically capable.”

For that reason, Capuano argued, “We need flexibility” in data security legislation so states and regulatory agencies can boost security standards, rather than relying inflexibly on the standards laid out by tech-illiterate congressmen.

“We don’t think that you can regulate your way to security,” the Retail Industry Leaders Association’s Brian Dodge fired back, saying a strong federal framework would improve security but that ultimately private-sector ingenuity, not FTC rulemaking, would do the most to protect consumers.