The House Financial Services Committee held a hearing, “Protecting Consumers: Financial Data Security in the Age of Computer Hackers,” on May 14, 2015, to explore whether federal legislation relating to data security and breach notification standards is warranted. At the committee’s request, witnesses shared their perspectives on why and how data breaches occur; how consumers are notified following a breach; what security measures and standards are in place to prevent breaches; what types of payment system technologies are under development; and what national standards are needed.
New technologies. Jason Oxman, Chief Executive Officer, Electronic Transactions Association, testified that the payments industry is already deploying new technology to address fraud. Oxman pointed out that because liability for cyber attacks in the United States often falls to the companies in the payments industry, members of the ETA “have a strong interest in making sure fraud does not occur.”
“We are leading the migration to EMV (chip cards). EMV makes counterfeit card fraud virtually impossible,” said Oxman. EMV—which stands for EuroPay, Mastercard, Visa—is the global standard for integrated circuit, or “chip” cards. EMV cards generate a dynamic security code with each transaction, unlike a magnetic stripe card which uses the same static code with every purchase. Thus, explained Oxman, EMV is an effective tool to combat the manufacture and use of counterfeit cards and card-present fraud.
Oxman also described the use of point-to-point encryption, whereby card data is encrypted starting from the moment the card is swiped or tapped and ending at final authorization, and tokenization, which replaces card data with a unique alphanumerical identifier that is only valid for a single transaction.
In addition, Brian Dodge, Executive Vice President, Communications and Strategic Initiatives, Retail Industry Leaders Association, described the efforts of the retail community to enhance cybersecurity throughout the industry, including an $8 billion investment to upgrade payment terminals to accept the more secure “Chip” credit cards. Dodge urged banks to issue “Chip and PIN” credit cards instead of the less secure “Chip and Signature” cards, which lack the two factor authentication protection that has dramatically reduced fraud in Europe and Canada. However, Oxman was critical of Dodge’s proposal, arguing that a Chip and PIN requirement “may prove too burdensome for smaller merchants, whose consumers benefit from moving quickly through checkout lines with ‘swipe and go.’ ”
To Oxman’s point, Stephen Orfei, General Manager of the Payment Card Industry (PCI) Security Standards Council (SSC), stated, “No single technology is a panacea; security technology is constantly evolving and requires a multi-layered approach across the payment chain.” As a result, the SSC, in collaboration with its members in the industry, has developed standards that cover payment applications, card production, PIN security, EMV Chip Terminals, tokenization, and point-to-point encryption. “These technologies can dramatically increase data security at vulnerable points along the transactional chain,” explained Orfei. Orfei also advocated for a supportive infrastructure, stating that an effective security program “is not focused on technology alone; it includes people and process as key parts of payment card data protection.”
“Recent breaches at retailers underscore the complex nature of payment card security and the need for ongoing vigilance. A complex problem cannot be solved by any single technology, standard, mandate, or regulation,” Orfei concluded. “It cannot be solved by a single sector of society—business, standards-setting bodies, policymakers, and law enforcement—must work together to protect the financial and privacy interests of consumers.”
Setting national standards. In her opening statement, Ranking Member Maxine Waters (D-Calif) expressed her desire to see a national standard that complements the states’ protections, crediting “the good work of those states that for years have been at the front lines of this fight. I believe that any federal preemption should complement states’ protections and ensure, at a minimum, that state attorneys general continue to play an important role in enforcement and notification standards.” She added that a minimum standard should not “hamstring our states’ and federal regulators’ ability to continue adapting and strengthening protections for consumers.”
Waters also sought a solution that would preserve a private right of action and ensure that affected individuals and financial institutions have legal recourse. Waters was also concerned that consumers “be consistently provided with clear disclosures of the rights and remedies available to them.”
Representative Randy Neugebauer (R-Texas) also pressed for a national standard, arguing that because the payments systems are global, a national data security standard and a national breach notification standard are needed. Neugebauer advocated for a standard that minimizes regulatory requirements, such as federal supervision and rulemaking, but emphasizes a “strong federal enforcement mechanism.”
Tim Pawlenty, President and Chief Executive Officer, Financial Services Roundtable, called for federal legislation that would create “a strong, meaningful data security requirement for all companies that handle sensitive customer information but currently have no federal requirement to protect it.” However, Pawlenty also cautioned that “any standard or process Congress creates should not be prescriptive, inflexible or overly burdensome for small businesses.”
Pawlenty also urged Congress to pass a federal data breach notification bill that includes data security standards, such as a “common-sense notification process firms should follow in the event they discover a breach of information that could put consumers at risk of harm, and that ensures consumers are notified in a timely manner, but that allows for a delay for law enforcement investigation.”
Self-described consumer and privacy advocate, Laura Moy, Senior Policy Counsel, Open Technology Institute, called for a national standard that would “strengthen, or at the very least preserve, important protections that consumers currently enjoy.” Moy advocated for federal legislation that: does not eliminate data security and breach notification protections for types of data that are currently protected under state law; provides a means to expand the range of information protected by the law as technology develops; and includes enforcement authority for state attorneys general. In addition, federal legislation “should not ignore the serious physical, emotional, and other nonfinancial harms that consumers could suffer as a result of misuses of their personal information,” said Moy.
International concerns. Rep. Ed Royce (D-Calif), who is also Chairman of the House Foreign Affairs Committee, raised questions about cyber attacks that originate from, or are funded by, foreign governments, asking Pawlenty, “What can or should be done... to hold these countries accountable in situations like this, and how do we do that?” Pawlenty responded that the United States must address the issue on a “country to country” level. “As you may know, under current law, the only entity that can fire back … is the U.S. government. Private entities cannot ‘hack back’ so the deterrent or consequences for this potential behavior can only come from the U.S. government,” answered Pawlenty.
Industry reaction. Following the hearing, Richard Hunt, President and Chief Executive Officer of the Consumer Bankers Association, released a statement applauding the decision to hold the hearing, noting, “In light of the alarming number of cyber threats, we believe it is time for Congress to advance legislation which will achieve a fair, reasonable and uniform data security standard across all industries to better safeguard consumers’ sensitive personal and financial information before breaches occur.”
This story was previously published in Banking and Finance Law Daily.