|February 17, 2014|
Previously published on February 7, 2014
Responding to data breaches that have affected tens of millions of American consumers, adversely affecting consumer confidence, the Retail Industry Leaders Association (RILA) announced that it would launch the RILA Cybersecurity and Privacy Initiative, a public-private collaborative process aimed at improving cybersecurity, payments security, and protecting consumer information. The announcement follows on an FBI report warning retailers to expect point-of-sale “malware crimes to continue to grow over the near term, despite law enforcement and security firms’ actions to mitigate it.” Relatedly, the largest breach—Target’s—appears to have been traced to a theft of network authentication credentials from an HVAC subcontractor that provided services to several large retailers.
RILA’s initiative will involve sharing threat information among industry members and working with federal lawmakers to establish a “national baseline” for notification. The group also called for the elimination of the magnetic stripe on the back of payment cards, calling the system “antiquated,” and pressing card networks and banks to adopt universal PIN security and chip-based smart card technology similar to that implemented in some regions outside the U.S.
The chip and PIN system was the subject of one congressional hearing earlier this week, where representatives of Target, Neiman Marcus, and others discussed responses to data breaches. A Target executive, speaking to members of the Senate Judiciary Committee, said that the company would accelerate a $100-million program to upgrade its payment systems. Federal Trade Commission (FTC) Chairwoman Edith Ramirez testified at the same hearing, calling for data security legislation that would give the agency authority to enforce data security requirements independent of its privacy policies. Several other witnesses also testified in support of a national data-breach notification law.
Concerns about privacy and data security will likely lead to substantial changes in the law and practice related to retail and cyber-commerce, but it will be critical for all businesses to keep abreast of the fast-moving and ongoing dialogue among companies, interest groups, lawmakers, and the public. Given the alleged involvement of a subcontractor in the breach, incorporation of data security and breach language in standard contracts may be increasingly critical, along with an assessment by all businesses of their data breach, data security and privacy coverage. Those who do not often deal with privacy matters are of course still consumers, and so may find some resources that Chairman Ramirez discussed in her testimony to be useful, which are available at the FTC’s blog.