Ed's Blog

We testify on data breaches again

By Ed Mierzwinski
Consumer Program Director

This morning, I testify in the Subcommittee on Financial Institutions and Consumer Credit of the House Financial Services Committee in the latest hearing on the Target data breach. The committee should post all the testimony and have a live video feed here at 10am.

As I did in a Senate hearing last month, I will try to shift the debate from the supposed need for a "uniform national data breach notification standard" to much more important issues, such as improving consumer rights when they use unsafe debit cards to ensuring that standards for payment card and card network security are set in an open, fair way that holds banks and card networks accountable for forcing merchants and consumers to rely on inherently unsafe, obsolete magnetic stripe cards.

This is a somewhat long-ish blog where I lay out my main recommendations to Congress:

1) Congress should improve debit/ATM card consumer rights and make all plastic equal:

Credit cards are safe, by law. Debit cards have “zero liability” only by promise. The shared risk fraud standard for debit cards under law – where consumers could be liable for up to $500 or more in losses -- appears to be vestigial, or left over from the days when debit cards could only be used with a PIN. Since banks encourage consumers to use debit cards, placing their bank accounts at risk, on the unsafe signature debit platform, this fraud standard should be changed. Compare some of the Truth In Lending Act’s robust credit card protections by law to the Electronic Funds Transfer Act’s weak debit card consumer rights at this FDIC website.

As a first step, Congress should institute the same fraud cap, $50, on debit/ATM cards as exists on credit cards. Congress should also provide debit and prepaid card customers with the stronger billing dispute rights and rights to dispute payment for products that do not arrive or do not work as promised that credit card users enjoy (through the Fair Credit Billing Act, a part of the Truth In Lending Act). For a detailed discussion of these problems and recommended solutions, see "Before the Grand Rethinking: Five Things to Do Today with Payments Law and Ten Principles to Guide New Payments Products and New Payments Law," by Gail Hillebrand (then with Consumers Union, now at the CFPB).

Debit/ATM card customers already face cash flow and bounced check problems while banks investigate fraud under the Electronic Funds Transfer Act. Reducing their possible liability by law, not simply by promise, won’t solve this particular problem, but it will force banks to work harder to avoid fraud. If they face greater liability to their customers and accountholders, they will be more likely to develop better security.

2) Congress should not endorse a specific technology. If Congress takes steps to encourage use of higher standards, its actions should be technology-neutral and apply equally to all players.

“Chip and PIN” and “Chip and signature” are variants of the EMV technology standard commonly in use in Europe. The current pending U.S. rollout of chip cards will allow use of the less-secure Chip and Signature cards rather than the more-secure Chip and PIN cards. Why not go to the higher Chip and PIN authentication standard immediately and skip past Chip and Signature? Further, Congress should not embrace a specific technology. Instead, it should take steps to encourage all users to use the highest possible existing standard. Current standards are developed in a closed system run by the banks and card networks. New standards should be developed in an open system that encourages innovation and applies equally to banks as well as merchants and others.

Further, as most observers are aware, chip technology will only prevent the use of cloned cards in card-present (Point-of-Sale) transactions. It is an improvement over obsolete magnetic stripe technology in that regard, yet it will have no impact on online transactions, where fraud volume is much greater already than in point-of-sale transactions.

Experiments, such as with “virtual card numbers” for one-time use, are being carried out online. It would be worthwhile for the committee to inquire of the industry and the regulators how well those experiments are proceeding and whether requiring the use of virtual card numbers in all online debit and credit transactions should be considered a best practice.

3) Investigate Card Security Standards Bodies and Ask the Prudential Regulators for Their Views:

To ensure that improvements continue to be made, the committee should also inquire into the governance and oversight of the development of card network security standards. Do regulators sit on or have oversight over the PCI card security standards board? As I understand it, merchants do not; they are only allowed to sit on what may be a meaningless “advisory” board.

4) Congress should not enact any new legislation sought by the banks to impose their costs of replacement cards on the merchants:

Target should pay its share but this breach was not entirely Target’s fault. Disputes over costs of replacement cards should be handled by contracts and agreements between the players. How could you possibly draft a bill to address all the possible shared liabilities?

5) Congress should not enact any federal breach law that preempts state breach laws or, especially, preempts other state data security rights:

In 2003, the Fair and Accurate Credit Transactions Act did not do enough to prevent identity theft. But it did not preempt new state privacy laws. Since 2003, fully 46 states enacted tough security freeze laws (based on a U.S. PIRG/Consumers Union model law) and 49 others enacted breach notification laws. State “laboratories of democracy” flourished.

But industry lobbyists (and this isn't only the banks, but includes the chemical industry, car makers, airlines, the drug companies and pretty much everyone else) prefer to enact weak federal laws accompanied by strong limits on the states. That is the wrong way to go. Broad preemption will prevent states from acting as first responders to emerging privacy threats. Congress should not preempt the states. In fact, Congress should think twice about whether a federal breach law that is weaker than the best state laws is needed at all.

6) Congress Should Allow For Private Enforcement and Broad State and Local Enforcement of Any Law It Passes:

The marketplace only works when we have strong federal laws and strong enforcement of those laws, buttressed by state and local and private enforcement.

7) Any federal breach law should not include any “harm trigger” before notice is required:

The better state breach laws, starting with California’s, require breach notification if information is presumed to have been “acquired.” The weaker laws allow the company that failed to protect the consumer’s information in the first place to decide whether to tell them, based on its estimate of the likelihood of identity theft or other harm. Only an acquisition standard will serve to force data collectors to protect the financial information of their trusted customers, accountholders or, as Target calls them, “guests,” well enough to avoid the costs, including to reputation, of a breach.

8) Congress should further investigate marketing of overpriced credit monitoring and identity theft subscription products:

In 2005 and then again in 2007 the FTC imposed fines on the credit bureau Experian for deceptive marketing of its various credit monitoring products, which are often sold as add-ons to credit cards and bank accounts. Prices range up to $19.99/month. While it is likely that recent CFPB enforcement orders against several large credit card companies for deceptive sale of the add-on products – resulting in recovery of approximately $800 million to aggrieved consumers -- may cause banks to think twice about continuing these relationships with third-party firms, the committee should also consider its own examination of the sale of these credit card add-on products. See my recent post.

Consumers who want credit monitoring can monitor their credit themselves. No one should pay for it. You have the right under federal law to look at each of your 3 credit reports (Equifax, Experian and TransUnion) once a year for free at the federally-mandated central site annualcreditreport.com. Don't like websites? You can also access your federal free report rights by phone or email. You can stagger these requests – 1 every 4 months -- for a type of do-it-yourself no-cost monitoring. And, if you suspect you are a victim of identity theft, you can call each bureau directly for an additional free credit report. If you live in Colorado, Georgia, Massachusetts, Maryland, Maine, New Jersey, Puerto Rico or Vermont, you are eligible for yet another free report annually under state law by calling each of the Big 3 credit bureaus.

And kudos to Discover Card for leading the way in disclosing credit scores on account statements. Director Rich Cordray and the Consumer Financial Protection Bureau have recently launched a campaign to encourage this voluntary practice. It should help end the sale of over-priced credit monitoring. Eventually, we hope credit scores will also be made part of credit reports, so anyone, not just credit card holders, can see them.

9) Review Title V of the Gramm-Leach-Bliley Act and its Data Security Requirements:

The 1999 Gramm-Leach-Bliley Act imposed certain data security responsibilities on regulated financial institutions, including banks. The requirements include breach notification in certain circumstances. The committee should ask the regulators for information on their enforcement of its requirements and should determine whether additional legislation is needed.

10) Congress should investigate the over-collection of consumer information for marketing purposes. More information means more information at risk of identity theft. It also means there is a greater potential for unfair secondary marketing uses of information:

In the Big Data world, companies are collecting vast troves of information about consumers. Every day, the collection and use of consumer information in a virtually unregulated marketplace is exploding. New technologies allow a web of interconnected businesses – many of which the consumer has never heard of – to assimilate and share consumer data in real-time for a variety of purposes that the consumer may be unaware of and may cause consumer harm. Increasingly, the information is being collected in the mobile marketplace and includes a new level of localized information.

Although the Fair Credit Reporting Act limits the use of financial information for marketing purposes and gives consumers the right to opt-out of the limited credit marketing uses allowed, these new Big Data uses of information may not be fully regulated by the FCRA. The development of the Internet marketing ecosystem, populated by a variety of data brokers and advertisers buying and selling consumer information without their knowledge and consent, is worthy of Congressional inquiry. See the FTC’s March 2012 report, "Protecting Consumer Privacy in an Era of Rapid Change: Recommendations For Businesses and Policymakers." Also see my paper with Jeff Chester of the Center for Digital Demcoracy, at the Suffolk University Law Review, “Selling Consumers Not Lists: The New World of Digital Decision-Making and the Role of the Fair Credit Reporting Act.”

Comments

South Africa is brimmed with the excitement and joy of World Cup and if you want to be a core fan of any team then it is time to know about the best teams. I would prefer Spain due to many reasons which will convince you also.
http://rosie.besaba.com/alfamart-official-partner-merchandise-piala-duni...
http://maskodoq.blogspot.com/2013/07/CiptoJunaedy.html
http://maskodoq.blogspot.com/2014/03/unit-link-terbaik-di-indonesia.html
http://etnisjawa.blogspot.com/2013/08/apakah-cipto-junaedy-bohong.html
http://rosie.besaba.com/situs-online-terbaik-terpercaya/

http://mahirseogoogle.blogspot.com/2014/06/adro.html ADRO TEXTILE Konveksi Murah Indonesia – Tlp 081362666444 !
http://clorot.blogspot.com/2014/04/kursus.html Kursus SEO dan Internet Marketing Terbaik di Jakarta

This Blog Share About Download Software and Drivers Printer Canon,HP,Epson,Brother,Samsung,Dell,etc

http://dosodrive.blogspot.com

I am very happy to read this. This is the kind of manual that needs to be given and not the random misinformation t hat's at the other blogs. Appreciate your sharing this best posting. Ibcbet

As I did in a Senate hearing last month, I will try to shift the debate from the supposed need for a "uniform national data breach notification standard" to much more important issues, such as improving consumer rights when they use unsafe debit cards to ensuring that standards for payment card and card network security are set in an open, fair way that holds banks and card networks accountable for forcing merchants and consumers to rely on inherently unsafe, obsolete magnetic stripe cards.
http://etnisjawa.blogspot.com/2014/07/gudang-situs-online-terbaik-terper...
http://etnisjawa.blogspot.com/2014/07/agen-texas-dan-domino-online-indon...
http://rosie.besaba.com/pokrstar88/
http://rosie.besaba.com/cipto-junaedy-dan-karyanya/
http://dirosie.com/800/singgasana-hotels-resorts-pilihan-akomodasi-terba...
http://vacationsbythebeach.com/gudang
http://rosie.besaba.com/pokrstar88/
http://dirosie.com/800/singgasana-hotels-resorts-pilihan-akomodasi-terba...

Pretty interesting to know. This is one of the most useful blogs I have ever arround this subject Thanks for sharing.

www.artikel.web.id - www.kpk.web.id

http://www.sportrabbit.org The obscure little rabbit. He is food for many of the predators of the wild. He reproduces at an alarming rate. He can be found in most areas of the country.

http://www.sportindustryjobs.org Looking to make a career change into a fun and exciting industry? Do you find yourself obsessive about your favorite sport? If so, then breaking into the sports industry just might be what you are looking for.

http://www.betterfootball.org Football (or soccer as the 'non-Brits' refer to it as) is the most popular sport in the World. Millions of people play, at various levels, every single day. Most people play for fun, others professionally, however the aim of the game is almost always the same - WIN!

Despite these improvements, not all toys on store shelves are tested by the Commission and parents still need to take care to seek out safe toys. Our Trouble in Toyland survey found five major hazards in the toys we surveyed: http://goo.gl/QX1YL2 http://kwn.me/p243
http://goo.gl/ms9gJ2
http://goo.gl/G1cGxl http://goo.gl/Ibe4n0
http://goo.gl/dKoer7 http://kwn.me/p244 Precisely what a few clearance about ones v-beck with the - it looks like . Voting rights were the big issue in committee last week. Keep an eye out for updates as we move forward! Every day, our families are bombarded by a toxic soup of chemicals found in consumer products, in air, food and water pollution. Maryland PIRG supports legislation that at www.muhammadridwan.web.id

http://www.traveltohelp.org Traveling with kids can be complicated and frustrating at times. When your kids are tired and cranky it can be hard on everyone, especially if you are in a confined space such as a car or plane.

http://www.smartgridbusinessnetwork.org One of the few people that make me sit up and take notice whenever they speak or write about online business is Ryan Deiss, this guy is a real pro and makes a ton of money from his various turnkey businesses.

I have recently started a blog, the info you provide on this site has helped me greatly. There is obviously a lot to know about this. I think he did some good things in features also. Keep working, great job! Thanks for a very interesting blog. What else can I get that kind of information written in such a perfect approach? I have a company that I"m simply now operating on, and I"ve been on the look out for such information.
http://www.seoedan.com/2014/04/abcbolacom-agen-judi-bola-terpercaya.html
http://bit.ly/1lU7Jcp
http://goo.gl/og86m8
http://goo.gl/uAERQv
http://goo.gl/uk3o0o
http://goo.gl/C0GcaC
http://goo.gl/tdZjqh
http://goo.gl/p3lbsB
http://goo.gl/BM9MC7
http://goo.gl/oAqmPL
http://goo.gl/og86m8

http://www.esportshub.org Singapore has become a sort of a sporting phenomenon of late, and we can only place the root of this new, sprouting interest to our recent successes of late. We have two world-class table tennis players who displayed a magnificent performance at the recent Beijing Olympics.

Pages

Priority Action

The overuse of antibiotics on factory farms is threatening the effectiveness of lifesaving antibiotics. Call on the Obama administration to put an end to the worst practices.

Support Us

Your donation supports U.S. PIRG’s work to stand up for consumers on the issues that matter, especially when powerful interests are blocking progress.

Consumer Alerts

Join our network and stay up to date on our campaigns, get important consumer updates and take action on critical issues.