This morning, I testify in the Subcommittee on Financial Institutions and Consumer Credit of the House Financial Services Committee in the latest hearing on the Target data breach. The committee should post all the testimony and have a live video feed here at 10am.
As I did in a Senate hearing last month, I will try to shift the debate from the supposed need for a "uniform national data breach notification standard" to much more important issues, such as improving consumer rights when they use unsafe debit cards to ensuring that standards for payment card and card network security are set in an open, fair way that holds banks and card networks accountable for forcing merchants and consumers to rely on inherently unsafe, obsolete magnetic stripe cards.
This is a somewhat long-ish blog where I lay out my main recommendations to Congress:
1) Congress should improve debit/ATM card consumer rights and make all plastic equal:
Credit cards are safe, by law. Debit cards have “zero liability” only by promise. The shared risk fraud standard for debit cards under law – where consumers could be liable for up to $500 or more in losses -- appears to be vestigial, or left over from the days when debit cards could only be used with a PIN. Since banks encourage consumers to use debit cards, placing their bank accounts at risk, on the unsafe signature debit platform, this fraud standard should be changed. Compare some of the Truth In Lending Act’s robust credit card protections by law to the Electronic Funds Transfer Act’s weak debit card consumer rights at this FDIC website.
As a first step, Congress should institute the same fraud cap, $50, on debit/ATM cards as exists on credit cards. Congress should also provide debit and prepaid card customers with the stronger billing dispute rights and rights to dispute payment for products that do not arrive or do not work as promised that credit card users enjoy (through the Fair Credit Billing Act, a part of the Truth In Lending Act). For a detailed discussion of these problems and recommended solutions, see "Before the Grand Rethinking: Five Things to Do Today with Payments Law and Ten Principles to Guide New Payments Products and New Payments Law," by Gail Hillebrand (then with Consumers Union, now at the CFPB).
Debit/ATM card customers already face cash flow and bounced check problems while banks investigate fraud under the Electronic Funds Transfer Act. Reducing their possible liability by law, not simply by promise, won’t solve this particular problem, but it will force banks to work harder to avoid fraud. If they face greater liability to their customers and accountholders, they will be more likely to develop better security.
2) Congress should not endorse a specific technology. If Congress takes steps to encourage use of higher standards, its actions should be technology-neutral and apply equally to all players.
“Chip and PIN” and “Chip and signature” are variants of the EMV technology standard commonly in use in Europe. The current pending U.S. rollout of chip cards will allow use of the less-secure Chip and Signature cards rather than the more-secure Chip and PIN cards. Why not go to the higher Chip and PIN authentication standard immediately and skip past Chip and Signature? Further, Congress should not embrace a specific technology. Instead, it should take steps to encourage all users to use the highest possible existing standard. Current standards are developed in a closed system run by the banks and card networks. New standards should be developed in an open system that encourages innovation and applies equally to banks as well as merchants and others.
Further, as most observers are aware, chip technology will only prevent the use of cloned cards in card-present (Point-of-Sale) transactions. It is an improvement over obsolete magnetic stripe technology in that regard, yet it will have no impact on online transactions, where fraud volume is much greater already than in point-of-sale transactions.
Experiments, such as with “virtual card numbers” for one-time use, are being carried out online. It would be worthwhile for the committee to inquire of the industry and the regulators how well those experiments are proceeding and whether requiring the use of virtual card numbers in all online debit and credit transactions should be considered a best practice.
3) Investigate Card Security Standards Bodies and Ask the Prudential Regulators for Their Views:
To ensure that improvements continue to be made, the committee should also inquire into the governance and oversight of the development of card network security standards. Do regulators sit on or have oversight over the PCI card security standards board? As I understand it, merchants do not; they are only allowed to sit on what may be a meaningless “advisory” board.
4) Congress should not enact any new legislation sought by the banks to impose their costs of replacement cards on the merchants:
Target should pay its share but this breach was not entirely Target’s fault. Disputes over costs of replacement cards should be handled by contracts and agreements between the players. How could you possibly draft a bill to address all the possible shared liabilities?
5) Congress should not enact any federal breach law that preempts state breach laws or, especially, preempts other state data security rights:
In 2003, the Fair and Accurate Credit Transactions Act did not do enough to prevent identity theft. But it did not preempt new state privacy laws. Since 2003, fully 46 states enacted tough security freeze laws (based on a U.S. PIRG/Consumers Union model law) and 49 others enacted breach notification laws. State “laboratories of democracy” flourished.
But industry lobbyists (and this isn't only the banks, but includes the chemical industry, car makers, airlines, the drug companies and pretty much everyone else) prefer to enact weak federal laws accompanied by strong limits on the states. That is the wrong way to go. Broad preemption will prevent states from acting as first responders to emerging privacy threats. Congress should not preempt the states. In fact, Congress should think twice about whether a federal breach law that is weaker than the best state laws is needed at all.
6) Congress Should Allow For Private Enforcement and Broad State and Local Enforcement of Any Law It Passes:
The marketplace only works when we have strong federal laws and strong enforcement of those laws, buttressed by state and local and private enforcement.
7) Any federal breach law should not include any “harm trigger” before notice is required:
The better state breach laws, starting with California’s, require breach notification if information is presumed to have been “acquired.” The weaker laws allow the company that failed to protect the consumer’s information in the first place to decide whether to tell them, based on its estimate of the likelihood of identity theft or other harm. Only an acquisition standard will serve to force data collectors to protect the financial information of their trusted customers, accountholders or, as Target calls them, “guests,” well enough to avoid the costs, including to reputation, of a breach.
8) Congress should further investigate marketing of overpriced credit monitoring and identity theft subscription products:
In 2005 and then again in 2007 the FTC imposed fines on the credit bureau Experian for deceptive marketing of its various credit monitoring products, which are often sold as add-ons to credit cards and bank accounts. Prices range up to $19.99/month. While it is likely that recent CFPB enforcement orders against several large credit card companies for deceptive sale of the add-on products – resulting in recovery of approximately $800 million to aggrieved consumers -- may cause banks to think twice about continuing these relationships with third-party firms, the committee should also consider its own examination of the sale of these credit card add-on products. See my recent post.
Consumers who want credit monitoring can monitor their credit themselves. No one should pay for it. You have the right under federal law to look at each of your 3 credit reports (Equifax, Experian and TransUnion) once a year for free at the federally-mandated central site annualcreditreport.com. Don't like websites? You can also access your federal free report rights by phone or email. You can stagger these requests – 1 every 4 months -- for a type of do-it-yourself no-cost monitoring. And, if you suspect you are a victim of identity theft, you can call each bureau directly for an additional free credit report. If you live in Colorado, Georgia, Massachusetts, Maryland, Maine, New Jersey, Puerto Rico or Vermont, you are eligible for yet another free report annually under state law by calling each of the Big 3 credit bureaus.
And kudos to Discover Card for leading the way in disclosing credit scores on account statements. Director Rich Cordray and the Consumer Financial Protection Bureau have recently launched a campaign to encourage this voluntary practice. It should help end the sale of over-priced credit monitoring. Eventually, we hope credit scores will also be made part of credit reports, so anyone, not just credit card holders, can see them.
9) Review Title V of the Gramm-Leach-Bliley Act and its Data Security Requirements:
The 1999 Gramm-Leach-Bliley Act imposed certain data security responsibilities on regulated financial institutions, including banks. The requirements include breach notification in certain circumstances. The committee should ask the regulators for information on their enforcement of its requirements and should determine whether additional legislation is needed.
10) Congress should investigate the over-collection of consumer information for marketing purposes. More information means more information at risk of identity theft. It also means there is a greater potential for unfair secondary marketing uses of information:
In the Big Data world, companies are collecting vast troves of information about consumers. Every day, the collection and use of consumer information in a virtually unregulated marketplace is exploding. New technologies allow a web of interconnected businesses – many of which the consumer has never heard of – to assimilate and share consumer data in real-time for a variety of purposes that the consumer may be unaware of and may cause consumer harm. Increasingly, the information is being collected in the mobile marketplace and includes a new level of localized information.
Although the Fair Credit Reporting Act limits the use of financial information for marketing purposes and gives consumers the right to opt-out of the limited credit marketing uses allowed, these new Big Data uses of information may not be fully regulated by the FCRA. The development of the Internet marketing ecosystem, populated by a variety of data brokers and advertisers buying and selling consumer information without their knowledge and consent, is worthy of Congressional inquiry. See the FTC’s March 2012 report, "Protecting Consumer Privacy in an Era of Rapid Change: Recommendations For Businesses and Policymakers." Also see my paper with Jeff Chester of the Center for Digital Demcoracy, at the Suffolk University Law Review, “Selling Consumers Not Lists: The New World of Digital Decision-Making and the Role of the Fair Credit Reporting Act.”