Only The Commerce Department Could Make Retail Self-Regulation Look Good

A data breach is a nightmare, and not just because it means thieves have broken through a retailer's security. The second half of the nightmare is dealing with the wide range of state laws about reporting data breaches and managing data privacy. But some help would seem to be on the way, according to a Commerce Department report leaked last Friday (Nov. 12) that recommends new federal laws to standardize data-breach reporting requirements and provide a privacy safe-harbor for businesses.

Really? We've seen lawmakers take their best shot at data security and privacy before. This time, it's a task force of bureaucrats trying to balance the demands of competing interests. But at this point, we don't need balance. We need clear rules for protecting customer data, and regulations with teeth so there's a meaningful penalty when data isn't kept safe. As it is, the Commerce task force has some nice ideas about voluntary privacy principles that won't go anywhere in Congress—and wouldn't help even if they did.

A draft version of the task force's report, which was leaked to the telecom newsletter TRDaily, recommends a new privacy law "built on an expanded set of fair information practice principles," according to the draft report. Retailers who conform to the principles would get fair-harbor protection from lawsuits and enforcement action by the Federal Trade Commission. Exactly what those principles will be is up in the air, but the task force stresses it wants them to form "voluntary but enforceable codes of conduct."

The task force also recommends a new federal data-breach law that "includes notification provisions, encourages companies to implement strict data security protocols, and allows states to build upon the law in limited ways. The law should track the effective protections that have emerged from state security breach notification laws and permit enforcement by state authorities," the report said.

Wait—a safe harbor based on "voluntary but enforceable" codes of conduct for privacy? A law that "encourages" strict data security, and lets states pile on their own extra requirements for data-breach disclosures? Apparently, there's only one thing less effective than retail self-regulation—that's the Commerce Department doing it.

What would actually help for data-breach regulation? Real security standards. Real breach disclosure. Real teeth for the FTC in chasing companies with lousy security and privacy. And, oh yes, a safe harbor for retailers who actually protect their payment-card and customer information.PCI-DSS is a starting point for security standards. It offers a baseline for payment-card security. But there's at least as much sensitive data piled up in retailers' CRM databases. Some of that purchase information could be embarrassing. Some could let a data thief assemble enough information to steal customer identities wholesale. Almost none of it is encrypted, and there are virtually no widely used standards for protecting it.

Of course, that CRM data is less attractive to thieves right now because payment-card data is so much more valuable, and often easier to steal. At least that's what we assume. But unlike a stolen payment-card number, non-negotiable CRM data is almost impossible to trace. If someone steals it, who would know?

When it comes to breach disclosure, how about this simple rule: Disclose the breach in as much detail as possible within 24 hours of its discovery.

No exceptions. Not for a few weeks to figure out exactly how the thieves got in and what they got away with. Not to wait until the holiday season is over so as not to spook the customers. Not at the behest of law enforcement (who will always agree that it's better not to go public about a crime).

Just disclose the breach. We know now that customers won't stop shopping at a retailer that has been breached, even if there's massive publicity. But without disclosure, those same customers won't know to cancel their credit cards or check their bank statements. Card issuers won't know to flag those cards for possible fraud activity. Waiting helps no one but the thieves.

And the FTC's feeble ability to punish even the most egregious security and privacy lapses certainly won't prod big retailers to do the right thing. In practice, the FTC can only deliver wrist-slaps to big offenders, who would barely notice a million-dollar fine (not that the FTC can go that high today). The bigger a retailer is, the less that fine hurts.

Heftier fines would get the attention of big companies. But an even more effective punishment would be suspending a retailer's ability to do business on the Internet for a period of time. Now that would get a big retailer's attention—and the bigger the retailer, the more that penalty would hurt.

Meanwhile, for retailers who demonstrate that they've taken the prescribed steps to lock down their payment and CRM data and promptly reported any breaches, the FTC should also be able to offer that safe harbor: protection from penalties and lawsuits for negligence in a breach.

That's a big carrot to go with the big stick of effective FTC penalties. But taken together, they might actually move retailers in the right direction.