National standard needed on consumer information breaches

ALBANY HERALD EDITORIAL: The strongest notification rules should apply to consumers across the nation

The consumer data thefts at large retail chains have demonstrated once again the need for a federal requirement on how and when customers should notified that their information has been stolen.

While the federal government has this in certain areas including banks and hospitals, retailers are covered by state laws. In cases in which the retailer has locations in multiple states, there are different thresholds that require action as far as notifying affected individuals and businesses.

Part of the problem is that states don’t want to give up the authority they have to enforce their own regulations in this area. One state might require that consumers be notified if the business has merely a reasonable suspicion that a breach has occurred, while another only mandates notification if there is a breach could harm the consumer, such as exposing him or her to identity theft.

The fact is, as America hurdles deeper into the electronic age which already has tendrils in every aspect of our lives, events like the data breaches at Target, Micheals and Neiman Marcus are going to occur again and again. By the time a big company has invested in a new security system and incorporated it into all their outlets, hackers are deep into the process of developing ways to get around it — if they haven’t already found them.

A move to smart chips in banking and credit cards would help, but businesses have been reluctant to expend the money to go that route. Already the standard outside the United States, the smart chip cards are more secure. Used at terminals that are chip-enabled, the encrypted cards are harder to clone, making fraud more difficult. CitiBank predicts on its website that chip cards will be the U.S. standard as early as next year, noting that more than 1.5 billion of the smart cards are already in use globally with 22 million terminals also in use that are capable of accepting payment from the cards.

Eventually, merchants will have to go the route of chip terminals simply as a way to keep doing business. And when the next leap in technology security comes around, they’ll have to adapt to that as well.

In the meantime, it makes no sense for consumers in one state to have less protection when it comes to notification than consumers in states like California and Massachusetts, which have some of the stricter laws. An individual’s identity is his or her most important asset, and that is something that government officials on the local, state and federal levels should bear in mind.

If lawmakers on the state and federal levels are truly concerned about protecting their citizens from this sort of thing, it would seem that they could find a common ground. A task force of federal and state legislators, along with state attorneys general, could be appointed to develop standards that give consumers the maximum protection possible. That would give multi-state retailers a single standard to meet, and give consumers reasonable expectations that should something go wrong, they would get clear, early warning.

In business, everything rests with confidence — confidence in the product being purchased and confidence that purchasing something will not result in your information being shared with criminals out to steal your money and your good name month before you know about it. Keeping that in mind would go a long way toward encouraging government leaders to cross whatever lines that have been drawn for the good of their constituents and the country as a whole.

The Albany Herald Editorial Board