|February 12, 2014|
Previously published on February 03, 2014
Retailers Respond to Data Breaches, Target to Spend $100m to Upgrade to Chip Tech
Responding to data breaches that have affected tens of millions of American consumers, adversely affecting consumer confidence, the Retail Industry Leaders Association (RILA) announced that it would launch the RILA Cybersecurity and Privacy Initiative, a public-private collaborative process aimed at improving cybersecurity, payments security, and protecting consumer information. The announcement follows on an FBI report warning retailers to expect point-of-sale “malware crimes to continue to grow over the near term, despite law enforcement and security firms’ actions to mitigate it.” Relatedly, the largest breach—Target’s—appears to have been traced to a theft of network authentication credentials from an HVAC subcontractor that provided services to several large retailers.
RILA’s initiative will involve sharing threat information among industry members and working with federal lawmakers to establish a “national baseline” for notification. The group also called for the elimination of the magnetic stripe on the back of payment cards, calling the system “antiquated,” and pressing card networks and banks to adopt universal PIN security and chip-based smart card technology similar to that implemented in some regions outside the U.S.
The chip and PIN system was the subject of one congressional hearing earlier this week, where representatives of Target, Neiman Marcus, and others discussed responses to data breaches. A Target executive, speaking to members of the Senate Judiciary Committee, said that the company would accelerate a $100-million program to upgrade its payment systems. Federal Trade Commission (FTC) Chairwoman Edith Ramirez testified at the same hearing, calling for data security legislation that would give the agency authority to enforce data security requirements independent of its privacy policies. Several other witnesses also testified in support of a national data-breach notification law.
Concerns about privacy and data security will likely lead to substantial changes in the law and practice related to retail and cyber-commerce, but it will be critical for all businesses to keep abreast of the fast-moving and ongoing dialogue among companies, interest groups, lawmakers, and the public. Given the alleged involvement of a subcontractor in the breach, incorporation of data security and breach language in standard contracts may be increasingly critical, along with an assessment by all businesses of their data breach, data security and privacy coverage. Those who do not often deal with privacy matters are of course still consumers, and so may find some resources that Chairman Ramirez discussed in her testimony to be useful, which are available at the FTC’s blog.
CPSC to Consider Making It Easier to Publish Company-Specific Information
The Consumer Product Safety Commission’s (CPSC) staff has prepared a draft amendment to the CPSC’s policy regarding the release of company-specific information about safety issues related to consumer products. The policy, which is tied to Section 6(b) of the Consumer Product Safety Act, requires the agency to give companies notice before releasing information that could be tied to the company by the public. The proposal is now scheduled to be debated and voted on February 12, 2014; if approved, the proposal would be released to the public for comment.
The changes that the agency staff drafted include some modernizing elements, such as generally favoring communicating with companies electronically. Others are more substantive, such as requiring companies to provide non-“conclusory” rationales to support a firm’s request that the agency not disclose the firm’s comments about the fairness and accuracy of the information the Commission proposes to disclose. The changes would also exempt information from § 6(b) that is already publicly available; withdraw the “renotification” option that companies have been able to exercise for subsequent releases of company-specific information; and reduce the amount of information subject to § 6(b) by applying it only to information “obtained” by the agency, eliminating its application to information “generated” or “received” by the agency. Companies with products regulated by the CPSC should pay close attention to this rulemaking; as with some other rules proposed and adopted in the last several years, the Commission may make substantial changes to the draft before it reaches the public. Acting Chairman Robert S. Adler has long critiqued § 6(b), saying that it “inhibits, to the point of virtual prohibition, the CPSC[’s] . . . timely [release of] manufacturer[-]specific safety information.”
Controversial Voluntary Recall Process Changes from CPSC Draw Criticism from Congress and Industry
The CPSC’s proposed changes to its policy on voluntary recalls have drawn significant criticism from many industry organizations, as well as two Pennsylvania senators, Bob Casey (D) and Pat Toomey (R). The senators focused on the CPSC’s award-winning “Fast Track” program, and wrote that “the proposed changes seem to jeopardize the efficacy of the existing process, which could increase the risk of harm to consumers.”
With at least 46 separate sets of comments posted at Regulations.gov, the proposal drew strong criticism from many business organizations. Some of the more controversial changes included a proposal to make corrective action plans (CAPs) legally binding, and to impose legally binding compliance plans on businesses. Currently, such CAPs are not legally binding, though they are the product of negotiations between companies and the agency. Another highly controversial change was to alter existing language that allows a company to include non-admission language in a notice, instead requiring the Commission and the party to agree. This is tantamount to giving the Commission veto power over a company’s right to disclaim liability or deny the existence of a defect in its product. Other elements include relatively detailed requirements for press releases; for example, specifying that the word “recall” should appear in the headline, as should the product class, but not necessarily the model number or other identifying information, even when available.
The proposed amendments follow a relatively large shift in the agency’s focus after the 2008 enactment of the Consumer Product Safety Improvement Act (CPSIA). That law increased the agency’s budget, increased its authority and the size of penalties it could extract from violative companies, and directed the agency to embark on numerous new regulatory activities such as requiring third-party testing for children’s products. Though some of the agency’s regulatory activity seems to have slowed, its enforcement apparatus may just be heating up, with some parties expecting the agency to levy its first $10-million-plus penalty before long. With this proposal, however, many business organizations argue that the Commission has exceeded even its expanded authority under CPSIA, and is seeking to impose unconstitutional conditions on the exercise of free speech rights. The agency will have to review and respond to the comments, and explain what points in the comments it agrees or disagrees with, if it chooses to move forward with the rulemaking.
EPA Extends Comment Period for “Green” Federal Purchase Labels
The Environmental Protection Agency (EPA) is seeking input on its Draft Guidelines for Product Environmental Performance Standards and Ecolabels for Voluntary Use in Federal Procurement, and just extended the comment period. The proposal was developed in response to Executive Order 13,514 and Federal Acquisition Regulation 23.103, which require 95% of federal agency acquisitions to be sustainable. The Guidelines were developed by an interagency task force that is figuring out how to evaluate “green” or “environmentally friendly” labels on products backed by non-governmental organizations. EPA suggests that different labeling standards make it difficult for federal purchasers to identify which products meet federal requirements. As a result, federal purchasers have maintained contracting agreements with companies whose products contain federal ecolabels, largely ignoring private industry labeling practices.
The proposal would address this with criteria for evaluating private-sector ecolabels and “environmentally-friendly” claims. This would depend on one or more private sector organizations working with the federal government and stakeholders to evaluate ecolabels by product category, creating a list of labels that meet federal requirements. Federal purchasers could then refer to this list when entering into purchasing agreements, allowing agencies to meet the 95% acquisition sustainability requirement while creating opportunities for broader private sector engagement.