WASHINGTON – Lawmakers are calling for immediate action to pass long-stalled data-security legislation in the face of last week’s news of a massive data breach at cards processor Global Payments Inc.
Rep. Mary Bono Mack called on her House colleagues to pass her data-protection bill, the Secure and Fortify Electronic (SAFE) Data Act, which would require security policies and procedures to protect data containing personal information, and provides for nationwide notice in the event of a security breach.
“Consumers have a right to know when their personal information has been compromised, and companies and other organizations have an overriding responsibility to promptly alert them,” said the California Republican.
The latest cards breach, which may have exposed millions of Visa, MasterCard and Discover cards to hackers, has reignited hope among credit unions that their long fight for data security legislation could come to fruition.
Though legislative proposals that would have required immediate public notification and reimbursement by the breached parties has been dismissed in past Congresses, the hope is that pending cyber security bills aimed at protecting government and other important institutions from hackers will serve as a vehicle for the cards bills.
“There’ll be tons of amendments,” Larry Blanchard, a Credit Union National Association Mutual Group lobbyist who has been working on the issue for a decade, said last weekend to ISO&Agent Weekly. “We expect there will be a lot of amendments to the bills having to do with cyber security and data breaches.”
Movement on the data security issue, which attracts interest that ebbs and flows with the discovery of large scale cards breaches, has been plagued by the interests of two powerful Washington lobbies on opposite sides of some of the issues–the credit union and banks that issue cards and must plug the breaches, and the merchants who often are the victims of hackers.
The card issuers have fought for years for bills that would require the victims of hacking to notify the affected parties immediately–cardholders in most cases–and to pay the costs to resolve the hacking, such as card replacements and fraud restitution. But the merchants, who would be liable for the reimbursement costs and for the harm public notification would do their reputation, have opposed such measures.