The data breaches like the one at Target and more recently a unit of credit bureau Experian are fueling consumer protection efforts that could have an impact on business.
This week, the Federal Trade Commission urged Congress to pass national breach notification legislation, while in California, a bill introduced recently in the state Legislature would ban businesses from storing certain customer data for long periods of time.
The end result of the latest activity might not be known, but the trend is clear. High-profile data breaches are bolstering critics' arguments that government needs to step in to protect consumers.
The problem is that no matter how cautious people are, the safety of their personal data relies on the third-party that stores it.
"We tell individuals to simply assume that your personal information is going to be compromised and to take steps to protect yourself on a daily basis," Beth Givens, director of the Privacy Rights Clearinghouse, said. "However, there is nothing any consumer could have done to prevent being affected by these breaches."
The breaches include retailer Target, which had the personal data of 110 million shoppers stolen from its computers by hackers in December. More recently, a breach at a subsidiary of Experian exposed the social security numbers and other personal data of 200 million people, Reuters news agency reported. The incident has started a multi-state investigation on whether laws to protect consumer data were properly followed.
On Wednesday, Edith Ramirez, chairwoman of the Federal Trade Commission told the Senate Committee on Homeland Security and Government Affairs that as more data breaches are reported the message becomes clear that "consumers' data is at risk."
To reduce that risk, Ramirez asked that Congress require companies to notify consumers affected by a breach. In addition, Ramirez called on lawmakers to give the FTC the authority to seek civil penalties to deter unlawful conduct by companies, rulemaking authority to bolster protections and jurisdiction over non-profit entities, which are not currently under FTC oversight.
In California, the bill introduced in the state Assembly would ban long-term storage or personal identification numbers, social security numbers and drivers license numbers. The proposal would also require retailers to cover consumers' losses from data breaches. Businesses would also be required to notify victims within 15 days of a breach.
"The provisions (of the bill) provide a great deal of additional consumer protection for individuals who have been affected by data breaches," Givens said.
Such legislation is not supported by businesses. NetChoice, a trade association of e-commerce businesses, pointed out in a blog post that retailers are also victims in data breaches, which can lead to millions of dollars in losses.
"We shouldn't resort to new legislation that penalizes the victim," Carl Szabo, policy counsel for NetChoice, wrote.
With most breaches, businesses are already punished by having to pay fines to credit card companies and reimburse banks for fraudulent charges on credit cards.
Rather than pass additional laws, the association would prefer that Congress consolidate existing state laws on data breach notification into one federal standard.
"Today, online and offline businesses face a patchwork of state laws, attorneys general and consumer organizations that play by different and confusing rules," Szabo said. "A single federal standard for data breach notification would resolve the confusion and benefit both consumers and businesses."