To listen to some House Republicans at the Target hearing Wednesday, and the Senate Republicans on Tuesday, one would be forgiven for thinking that the massive data breaches experienced by customers of Target, Neiman Marcus and the hotel management chain White Lodging were serious enough to warrant two Congressional hearings (and one more to come), but not a single change to federal law.
Responding to Senate Democrats' interest in a new federal breach notification law, which would require companies to notify people in a uniform way if their personal data was lost or stolen, Sen. Charles Grassley (R-Iowa) said, "Overnotification can lead to harm and apathy" -- just moments before Sen. Dianne Feinstein (D-Calif.) told the room that she had been affected by one of the data breaches but had yet to receive any notice.
The House committee's Privacy Working Group co-chair, Rep. Marsha Blackburn (R-Tenn.) seemed entirely unconvinced that any new legislation was necessary, suggesting that the House might only have to decide how to "take the rules on the books for the physical space and apply them to the virtual space to encourage commerce" -- even though she acknowledged how concerned her constituents remained about their own security.
The Right to Know
It's not as though these breaches are the first to affect millions of Americans and, rest assured, they won't be the last. Data breaches are destined to join death and taxes as the third certainty in life, as a new Javelin survey this week shows. Javelin's numbers indicate that 2013 was the second most prolific year for identity thieves in recent history, with a near-record 13.1 million Americans being affected to the tune of $18 billion -- an increase of 500,000 victims over 2012.
But it's only going to get worse for people -- between the slow crawl by retailers and card issuers to make the requisite investment to replace the ubiquitous, less-secure magnetic stripe cards and readers with a fully-functional chip-and-pin smartcard system that provides a heightened level of security, and the exponential increase in the technological sophistication of hackers determined to maximize the take from their criminal activities.
Americans have the right to know when their financial lives have been put at risk by one of the many organizations that collect and maintain their data -- be that medical information, personally identifying information and/or financial information. But currently, each state has a different law (if they have one at all), making notifications more difficult for especially small organizations to handle correctly -- and they all require companies to reveal different things in different ways, making it hard for consumers to understand how they might or might not really be affected.
As Sen. Feinstein noted, some in the business community have been fighting against federal breach notification standards for years, even as the number of breaches and the number of Americans affected by each breach has skyrocketed. In the past two months, it's possible that fully half of this country -- or more -- has been snared in one of the breaches that have made the nightly news, and those are just the ones about which we know.
But House Republicans seemed more interested in encouraging companies like Target and Neiman Marcus to participate in the Department of Homeland Security's information-sharing system for critical infrastructure, in which companies and the government share information with each other, than legally requiring companies under federal law to share information with the consumers actually affected by the breaches.
(Notably, Homeland Security did in fact warn retailers about potential malware breaches in January, well after Target and Neiman Marcus' – and potentially other retailers' -- customers had been affected.)
Empowering the Consumer
It's time to stop the tired anti-government rhetoric and start dealing with the reality that people need to know when their data has been exposed to criminals so they can be on alert and take steps to mitigate the risks engendered by that exposure. Most people assume that if they do all the right things, they can protect themselves from being victims of identity theft.
But as these ongoing data breaches prove, if your data is in the wrong database at the wrong moment when the wrong person gains unauthorized access, it doesn't matter how many credit card offers or sensitive documents you have shredded over the years: you can and very likely will be victimized by identity thieves. Without the knowledge that your personal or financial information has been exposed in a breach, you can hardly take the proactive steps needed to protect your identity or be on heightened alert for phishing scams in all their various new-fangled forms.
Once identity thieves have your information, their ability to exploit it (and you) doesn't stop if and when your bank replaces one credit card or you change one password. It costs them little additional effort to relentlessly bombard your inbox with real-seeming emails from your supposed bank, or phone calls from your supposed utility provider, or text messages from your supposed cellphone company -- and their payday can be massive if they just get one person in a hundred to click, call, reply or give up a credit card number.
But to hear Republicans talk, the real danger is that you might get too many notifications that your identity is at risk. Must be nice to be a Senator, eh?
Adam Levin is chairman and cofounder of Credit.com and Identity Theft 911. His experience as former director of the New Jersey Division of Consumer Affairs gives him unique insight into consumer privacy, legislation and financial advocacy. He is a nationally recognized expert on identity theft and credit.