Ed's Blog

We testify on data breaches again

By Ed Mierzwinski
Consumer Program Director

This morning, I testify in the Subcommittee on Financial Institutions and Consumer Credit of the House Financial Services Committee in the latest hearing on the Target data breach. The committee should post all the testimony and have a live video feed here at 10am.

As I did in a Senate hearing last month, I will try to shift the debate from the supposed need for a "uniform national data breach notification standard" to much more important issues, such as improving consumer rights when they use unsafe debit cards to ensuring that standards for payment card and card network security are set in an open, fair way that holds banks and card networks accountable for forcing merchants and consumers to rely on inherently unsafe, obsolete magnetic stripe cards.

This is a somewhat long-ish blog where I lay out my main recommendations to Congress:

1) Congress should improve debit/ATM card consumer rights and make all plastic equal:

Credit cards are safe, by law. Debit cards have “zero liability” only by promise. The shared risk fraud standard for debit cards under law – where consumers could be liable for up to $500 or more in losses -- appears to be vestigial, or left over from the days when debit cards could only be used with a PIN. Since banks encourage consumers to use debit cards, placing their bank accounts at risk, on the unsafe signature debit platform, this fraud standard should be changed. Compare some of the Truth In Lending Act’s robust credit card protections by law to the Electronic Funds Transfer Act’s weak debit card consumer rights at this FDIC website.

As a first step, Congress should institute the same fraud cap, $50, on debit/ATM cards as exists on credit cards. Congress should also provide debit and prepaid card customers with the stronger billing dispute rights and rights to dispute payment for products that do not arrive or do not work as promised that credit card users enjoy (through the Fair Credit Billing Act, a part of the Truth In Lending Act). For a detailed discussion of these problems and recommended solutions, see "Before the Grand Rethinking: Five Things to Do Today with Payments Law and Ten Principles to Guide New Payments Products and New Payments Law," by Gail Hillebrand (then with Consumers Union, now at the CFPB).

Debit/ATM card customers already face cash flow and bounced check problems while banks investigate fraud under the Electronic Funds Transfer Act. Reducing their possible liability by law, not simply by promise, won’t solve this particular problem, but it will force banks to work harder to avoid fraud. If they face greater liability to their customers and accountholders, they will be more likely to develop better security.

2) Congress should not endorse a specific technology. If Congress takes steps to encourage use of higher standards, its actions should be technology-neutral and apply equally to all players.

“Chip and PIN” and “Chip and signature” are variants of the EMV technology standard commonly in use in Europe. The current pending U.S. rollout of chip cards will allow use of the less-secure Chip and Signature cards rather than the more-secure Chip and PIN cards. Why not go to the higher Chip and PIN authentication standard immediately and skip past Chip and Signature? Further, Congress should not embrace a specific technology. Instead, it should take steps to encourage all users to use the highest possible existing standard. Current standards are developed in a closed system run by the banks and card networks. New standards should be developed in an open system that encourages innovation and applies equally to banks as well as merchants and others.

Further, as most observers are aware, chip technology will only prevent the use of cloned cards in card-present (Point-of-Sale) transactions. It is an improvement over obsolete magnetic stripe technology in that regard, yet it will have no impact on online transactions, where fraud volume is much greater already than in point-of-sale transactions.

Experiments, such as with “virtual card numbers” for one-time use, are being carried out online. It would be worthwhile for the committee to inquire of the industry and the regulators how well those experiments are proceeding and whether requiring the use of virtual card numbers in all online debit and credit transactions should be considered a best practice.

3) Investigate Card Security Standards Bodies and Ask the Prudential Regulators for Their Views:

To ensure that improvements continue to be made, the committee should also inquire into the governance and oversight of the development of card network security standards. Do regulators sit on or have oversight over the PCI card security standards board? As I understand it, merchants do not; they are only allowed to sit on what may be a meaningless “advisory” board.

4) Congress should not enact any new legislation sought by the banks to impose their costs of replacement cards on the merchants:

Target should pay its share but this breach was not entirely Target’s fault. Disputes over costs of replacement cards should be handled by contracts and agreements between the players. How could you possibly draft a bill to address all the possible shared liabilities?

5) Congress should not enact any federal breach law that preempts state breach laws or, especially, preempts other state data security rights:

In 2003, the Fair and Accurate Credit Transactions Act did not do enough to prevent identity theft. But it did not preempt new state privacy laws. Since 2003, fully 46 states enacted tough security freeze laws (based on a U.S. PIRG/Consumers Union model law) and 49 others enacted breach notification laws. State “laboratories of democracy” flourished.

But industry lobbyists (and this isn't only the banks, but includes the chemical industry, car makers, airlines, the drug companies and pretty much everyone else) prefer to enact weak federal laws accompanied by strong limits on the states. That is the wrong way to go. Broad preemption will prevent states from acting as first responders to emerging privacy threats. Congress should not preempt the states. In fact, Congress should think twice about whether a federal breach law that is weaker than the best state laws is needed at all.

6) Congress Should Allow For Private Enforcement and Broad State and Local Enforcement of Any Law It Passes:

The marketplace only works when we have strong federal laws and strong enforcement of those laws, buttressed by state and local and private enforcement.

7) Any federal breach law should not include any “harm trigger” before notice is required:

The better state breach laws, starting with California’s, require breach notification if information is presumed to have been “acquired.” The weaker laws allow the company that failed to protect the consumer’s information in the first place to decide whether to tell them, based on its estimate of the likelihood of identity theft or other harm. Only an acquisition standard will serve to force data collectors to protect the financial information of their trusted customers, accountholders or, as Target calls them, “guests,” well enough to avoid the costs, including to reputation, of a breach.

8) Congress should further investigate marketing of overpriced credit monitoring and identity theft subscription products:

In 2005 and then again in 2007 the FTC imposed fines on the credit bureau Experian for deceptive marketing of its various credit monitoring products, which are often sold as add-ons to credit cards and bank accounts. Prices range up to $19.99/month. While it is likely that recent CFPB enforcement orders against several large credit card companies for deceptive sale of the add-on products – resulting in recovery of approximately $800 million to aggrieved consumers -- may cause banks to think twice about continuing these relationships with third-party firms, the committee should also consider its own examination of the sale of these credit card add-on products. See my recent post.

Consumers who want credit monitoring can monitor their credit themselves. No one should pay for it. You have the right under federal law to look at each of your 3 credit reports (Equifax, Experian and TransUnion) once a year for free at the federally-mandated central site annualcreditreport.com. Don't like websites? You can also access your federal free report rights by phone or email. You can stagger these requests – 1 every 4 months -- for a type of do-it-yourself no-cost monitoring. And, if you suspect you are a victim of identity theft, you can call each bureau directly for an additional free credit report. If you live in Colorado, Georgia, Massachusetts, Maryland, Maine, New Jersey, Puerto Rico or Vermont, you are eligible for yet another free report annually under state law by calling each of the Big 3 credit bureaus.

And kudos to Discover Card for leading the way in disclosing credit scores on account statements. Director Rich Cordray and the Consumer Financial Protection Bureau have recently launched a campaign to encourage this voluntary practice. It should help end the sale of over-priced credit monitoring. Eventually, we hope credit scores will also be made part of credit reports, so anyone, not just credit card holders, can see them.

9) Review Title V of the Gramm-Leach-Bliley Act and its Data Security Requirements:

The 1999 Gramm-Leach-Bliley Act imposed certain data security responsibilities on regulated financial institutions, including banks. The requirements include breach notification in certain circumstances. The committee should ask the regulators for information on their enforcement of its requirements and should determine whether additional legislation is needed.

10) Congress should investigate the over-collection of consumer information for marketing purposes. More information means more information at risk of identity theft. It also means there is a greater potential for unfair secondary marketing uses of information:

In the Big Data world, companies are collecting vast troves of information about consumers. Every day, the collection and use of consumer information in a virtually unregulated marketplace is exploding. New technologies allow a web of interconnected businesses – many of which the consumer has never heard of – to assimilate and share consumer data in real-time for a variety of purposes that the consumer may be unaware of and may cause consumer harm. Increasingly, the information is being collected in the mobile marketplace and includes a new level of localized information.

Although the Fair Credit Reporting Act limits the use of financial information for marketing purposes and gives consumers the right to opt-out of the limited credit marketing uses allowed, these new Big Data uses of information may not be fully regulated by the FCRA. The development of the Internet marketing ecosystem, populated by a variety of data brokers and advertisers buying and selling consumer information without their knowledge and consent, is worthy of Congressional inquiry. See the FTC’s March 2012 report, "Protecting Consumer Privacy in an Era of Rapid Change: Recommendations For Businesses and Policymakers." Also see my paper with Jeff Chester of the Center for Digital Demcoracy, at the Suffolk University Law Review, “Selling Consumers Not Lists: The New World of Digital Decision-Making and the Role of the Fair Credit Reporting Act.”


South Africa is brimmed with the excitement and joy of World Cup and if you want to be a core fan of any team then it is time to know about the best teams. I would prefer Spain due to many reasons which will convince you also.

http://mahirseogoogle.blogspot.com/2014/06/adro.html ADRO TEXTILE Konveksi Murah Indonesia – Tlp 081362666444 !
http://clorot.blogspot.com/2014/04/kursus.html Kursus SEO dan Internet Marketing Terbaik di Jakarta

This Blog Share About Download Software and Drivers Printer Canon,HP,Epson,Brother,Samsung,Dell,etc


I am very happy to read this. This is the kind of manual that needs to be given and not the random misinformation t hat's at the other blogs. Appreciate your sharing this best posting. Ibcbet

Despite these improvements, not all toys on store shelves are tested by the Commission and parents still need to take care to seek out safe toys. Our Trouble in Toyland survey found five major hazards in the toys we surveyed: http://goo.gl/QX1YL2 http://kwn.me/p243
http://goo.gl/G1cGxl http://goo.gl/Ibe4n0
http://goo.gl/dKoer7 http://kwn.me/p244 Precisely what a few clearance about ones v-beck with the - it looks like . Voting rights were the big issue in committee last week. Keep an eye out for updates as we move forward! Every day, our families are bombarded by a toxic soup of chemicals found in consumer products, in air, food and water pollution. Maryland PIRG supports legislation that at www.muhammadridwan.web.id

I have recently started a blog, the info you provide on this site has helped me greatly. There is obviously a lot to know about this. I think he did some good things in features also. Keep working, great job! Thanks for a very interesting blog. What else can I get that kind of information written in such a perfect approach? I have a company that I"m simply now operating on, and I"ve been on the look out for such information.

It's a very useful and interesting site. Thanks! http://www.hermesu.com

I have recently started a blog, the info you provide on this site has helped me greatly. There is obviously a lot to know about this. I think he did some good things in features also. Keep working, great job! Thanks for a very interesting blog. What else can I get that kind of information written in such a perfect approach? I have a company that I"m simply now operating on, and I"ve been on the look out for such information.

saya ikut ikutan komen saja pak.
dan kunjungi juga Software Point of Sales Online Omega POS Cloud

South Africa is brimmed with the excitement and joy of World Cup and if you want to be a core fan of any team then it is time to know about the best teams. I would prefer Spain due to many reasons which will convince you also.
rumah minimalis

Had a great time girls!!!! an enormous for are planning it! Tommi I hope you paint booth feel better!! If you are not happy with it order it.

Very useful article, I will come to join as soon as possible.
I admin Cap Kaki Tiga, Setia, Manfaat say many thanks for this site because it has a lot to give knowledge.

thanks infonya
Agen Bola, Agen Bola Online, situs taruhan bola, Agen judi bola, Bandar Bola, Bandar Taruhan Bola

nice post
it's great jobs
Search the top goverment job opportunities at jobs.id. Come, Indonesia's no. 1 job opportunities web page.

However, if you are hoping to use a self-directed IRA for a home purchase,
you are out of luck. All you need is a source of legitimate revenue as well as an LLC or
Corporation with you since the primary owner. Proof gold coins are believed to be significant collectibles.

If you are applying for a credit line greater than $50k than you end up having to also provide 2 years of personal and business tax returns, profit & loss statements and financial statements. So you can see the difference in documentation is substantial
Jasa Seo
Pakar Seo
Rental Mobil Solo
Sewa Mobil Solo
Cara Cepat Hamil
Agar Cepat Hamil
Agen Obat Pembesar
Obat Perangsang Wanita
Obat Pembesar Payudara
Boneka Full Body Elektrik
Agen Kondom Duri Silikon
Agen Obat Kuat Herbal
Obat Perangsang Wanita
Obat Perangsang Wanita
Boss Obat Kuat

Animals may be more sensitive and easily poisoned by conditions deemed safe to people.

Of significant importance in deep chested and large breed of dog
is the prevention of gastric bloat and torsion which can be induced by large meals, particularly if followed
by exercise. Be aware, however, that due to the foreclosure crisis, many pet shelters are overwhelmed, and the chances that your pet(s) will have
to be euthanized are significant.

my web page <a href="http://www.phlebotomytraining.com/">http://www.phlebotomytraining.com/</a>

Thank you for awesome connect else could anyone get that kind of information.
.All Games

This is my first time i visit here. I found so many interesting stuff in your blog especially its discussion. Really its great article. Keep it up.
Cara Membuat Email Gmail - Cara Membuat Blog - Cara Membuat Website - Cara Membuat Email Yahoo - Cara Membuat Facebook

It is a funny and exciting thing that driving a 2014 Yamaha Jet Ski on the vast sea, at the same time, it is a dangerous thing for you to drive it in the sea, so you need to take protective measures to ensure safety.

First, when you drive a 2014 Sea Doo Jet Ski you need to make sure that the driver and the passenger wear personal flotation devices.

Second, you need to wear the proper gear such as wet suits, goggles, gloves, and foot wear/deck shoes.

Third, always wear or attach to your wrist a small, mouth operated whistle when you drive a 2014 Kawasaki Jet Ski.

Forth, check the fuel level before the 2014 Yamaha WaveRunners starting. Make sure you have enough fuel to return to shore.

Fifth, drivers and passenger should always keep both feet on the floor footrest. Keep your hands, feet, hair, and clothing away from the pump intake.

Sixth, never operate the Yamaha Jet Ski in less than 0.30 m of water.

Seventh, pay close attention to your speed around swimming areas, beaches, docks, and waterfronts.

I leave a comment whenever I appreciate a post on a website or I have something to contribute to the discussion. cara mendaftar email - cara mendaftar facebook

mencoba untuk bangkit dan membuktikan bahwa blog kecil andika putra tak akan mati walaupun blog yang sebelumnya telah hilang dari peredaran sang mbah google namun patut untuk anda melihat dan mengunjungi blog keren http://daengtobbe.blogspot.com/ setelah itu di persilahkan untuk mampir lagi di http://andikaputra05.blogspot.com/2014/05/textile.html dan jangal lupa juga mengorek isinya dan terakhir mampir di http://sumber-ilmu-islam.blogspot.com/2014/04/05.html semoga dengan ini anda terhibur

unit link terbaik di Indonesia Commonwealth Life investra link - Banyak para pakar management keuangan yang mengatakan bahwa asuransi adalah salah satu hal yang penting dalam keluarga untuk menjadikan rasa
aman akan keuangan dan resiko yang tiba-tiba saja terjadi, sedia payung sebelum hujan mungkin itu adalah pepatah yang paling tepat,dalam kehidupan ini kita di tuntut untuk mempersiapkan segala sesuatunya untuk mengantisipasi hal-hal yang mungkin akan terjadi. Memiliki asuransi merupakan salah satu wujud nyata dari konsep
perencanaan keuangan keluarga, banyak manfaat asuransi yang bisa kita
dapatkan untuk keluarga tercinta. namun sebelum kita benar-benar memilih asuransi tentu yang harus dipertimbangkan ialah biaya premi asuransi agar
disesuaikan dengan keuangan keluarga. Jangan malah biaya premi asuransi
menjadikan beban keuangan bagi keluarga kita.

confidante of the people upset the people to rise up and prove that small blogs andika son will not die despite previous blog tela abolished the google but worth it for you to see and visit her cool blog andika after it in the invite to stop by again ADRO TEXTILE konveksi murah indonesia - Tlp 081362666444 ! and the last stop at the Andika putra I hope you entertained with this and be the best if only one day of nothing, but it would be nice if you will be the best for onward

more info: http://andikaputra05.blogspot.com/2014/05/textile.html


Priority Action

The overuse of antibiotics on factory farms is threatening the effectiveness of lifesaving antibiotics. Call on the Food and Drug Administration to put an end to the worst practices.

Support Us

Your donation supports U.S. PIRG’s work to stand up for consumers on the issues that matter, especially when powerful interests are blocking progress.

Consumer Alerts

Join our network and stay up to date on our campaigns, get important consumer updates and take action on critical issues.