We are reaping the proverbial whirlwind of our long years of relentless technological advancement.
Cyber-insecurity and constant data breaches are some of the growing pains of digital and wireless technologies. And even now, the private and public sectors can’t seem to agree on how to solve it or how bad things need to get before we do.
An illustrative example of this collision — between vulnerable technologies, corporate profit margins and insufficient government regulation — is the National Retail Federation’s response to a new bill concerning data breaches.
The bill, now in committee in the House, seeks to improve the robustness of our laws as they pertain to the handling of customer data and the corrective actions undertaken by regulatory bodies.
This bill, says the Federation, doesn’t go nearly far enough to protect the peace-of-mind of the average American.
National Retail Federation vs. House Financial Services Committee
Here are the NRF’s major grievances in their vice president’s own words:
“The legislation being considered by the committee is an important step forward but has significant loopholes that would allow major data breaches to be kept secret from the public. We want to work with the Committee to develop an airtight bill that covers all industries and ensures that all data breaches are subject to notification no matter where they occur.”
Translation: This legislation is good, but it needs more work. The standards it proposes aren’t nearly high enough and don’t protect enough people.
To grant their arguments weight, the NRF drew upon research gathered in the Verizon 2017 Data Breach Investigations Report, which approached the problem across the entirety of modern industry.
Previous reports covered only the types of businesses which are explicitly required by law to disclose data breaches to their customers and to the public. As of this writing, financial institutions — themselves close partners of every retailer in America — are subject only to “discretionary” disclosure of breaches.
The NRF argues that a holistic approach, and nothing less, can deliver meaningful, consumer-centric regulation for data breaches across the entire economy.
A significant portion of the NRF’s “case” against the bill in its current form is the apparent protections it affords to banks. They also pointed to vagueness in the definition of key terms such as “service provider” as well as the structure of the requirements themselves, which, in their words, is a “one size fits all” solution to a multifaceted solution.
A better idea, they contend, would be to build-out different rulesets for different types of businesses — most notably telecommunications companies, banks, card processing companies and any other types of business which come into contact with sensitive data.
More specifically, they argue, actions undertaken by regulators to prevent data breaches should be based on the inherent “risk” of specific industries as well as the “sensitivity” of the data involved.
Whether this “parceling out” of different types of risk is a slippery slope remains to be seen — and American law explicitly provides protections against “unlawful search and seizure.” Such a concept needn’t concern itself with the specific contents of what’s being protected.
Nevertheless, the NRF does have a point — and we can see why when we look at the most recent examples of what happens when ethically-compromised regulators attempt to respond to data and trust breaches.
A Recent History of Public and Private Sector Clashes Over Customer Protections
The approach now favored by the federal government against banks who mistreat their customers usually involves fines so small that the defendants laugh about them during Congressional hearings.
Elsewhere, technology companies great and small are drawing attention to the low protection standards for the technology-based financial service providers that power modern retail businesses.
In other words, even if regulations at the federal level seem to peter out a few months after every data breach, and if regulations can vary widely from state to state, the private sector is all the while making ever-more-sophisticated tools available for retailers and many other industries to deliver what regulation alone currently cannot.
In other words, even if government can’t hold every company to a uniform standard, each company can choose to hold itself to high standards by working with the right partners and technology platforms. It’s not perfect, but it’s a start. And a needed one.
In its dealings with Equifax, the federal government took precisely the approach the NRF warns about. People who have studied the government’s response and the rules considered, but not enacted even months later, have declared the measures proposed to be wholly insufficient. Insufficient to the point where Equifax might literally turn a profit as a result of their data breach.
The NRF Has a Point
It’s clear the NRF is vindicated in their claims that the small amount of regulation proposed, and the even smaller amount of regulation passed into law, don’t provide adequate or lasting protections for Americans.
Their argument that sensitive information should be “typified” by “sensitivity” is a slippery notion so long as “privacy in general” is still an inalienable right. But their argument that our current Congress and its Committees don’t appear to consider this a major priority is perfectly sound and fully backed up by recent history.
