Slashdot Mirror

← Back to Stories (view on slashdot.org)

Gridlock In Action: Retailers Demand New Regulations To Protect Consumers

Posted by Soulskill on from the use-your-terrible-system-to-fix-your-terrible-system dept.

chicksdaddy writes: How bad is the gridlock in Washington D.C.? So bad that the nation's retailers are calling for federal legislation on cyber security and data protection to protect consumer information — even though they would bear the brunt of whatever legislation is passed. The Security Ledger notes that groups representing many of the nation's retailers sent a letter (PDF) to Congressional leaders last week urging them to pass federal data protection legislation that sets clear rules for businesses serving consumers.

"The recent spate of news stories about data security incidents raises concerns for all American consumers and for the businesses with which they frequently interact," the letter reads. "A single federal law applying to all breached entities would ensure clear, concise and consistent notices to all affected consumers regardless of where they live or where the breach occurs."

Retailers would likely bear the brunt of a new federal data protection law. The motivation for pushing for one anyway may be simplicity. Currently, there are 47 different state-based security breach notification laws, as well as laws in the District of Columbia and Guam. There is broad, bi-partisan agreement on the need for a data breach and consumer protection law. However, small differences of opinion on its scope and provisions, exacerbated by political gridlock in Congress since 2010 have combined to stay the federal government's hand. Meanwhile, reader schwit1 points out that banks are now starting to demand that retailers pay for all the financial damage their security breaches cause.

17 of 127 comments (clear)

  1. CYA by thaylin · · Score: 4, Insightful

    I think this is just CYA. The government will set a minimum standard of security which the retailers will set as their default level and that way when a breach happens they can say, well we followed the government mandates, we should not be sued. This is not for the customers, it is for the retailers.

    In reality they should be securing their systems to the best of their ability.

    --
    When you cant win, ad hominem.
    1. Re:CYA by TigerPlish · · Score: 2

      The last sentence of TFS has a link to an article mentioning bankers are pressuring retailers to pay for the banks' costs in a post-breach cleanup.

      Money talks. In this case the bankers hold all the cards and the retailers will have no choice but to armor their payment systems. That, or spend hand-over-fist in cleanup and damaged reputation.

      Which road will they take? The cheaper one -- which I suspect is to armor their POS systems.

      --
      The "Civilized World" jumped the shark ca. 1973.
    2. Re:CYA by gstoddart · · Score: 4, Insightful

      In reality they should be securing their systems to the best of their ability.

      I wouldn't say "to the best of the ability of the retailers".

      They've already demonstrated themselves to be lazy, incompetent, and largely indifferent to security.

      They should be held to an entirely different standard than "the best of their ability", because we already know that's not good enough.

      --
      Lost at C:>. Found at C.
    3. Re:CYA by jbmartin6 · · Score: 2

      I'm not so sure that armoring POS systems is the cheaper option. Sure there are a myriad of things that can be done, but how effective are they likely to be? Even a company like RSA got breached, and their seed database was armored pretty well until reality pried it open. Ultimately the underlying issue will remain, which is that "shared secret" is an oxymoron. As long as the payment is verified by shared information someone will find a way to steal and use the shared information. After all, retailers can't just seal the information in a box and never access it, they need to use it. And thieves will just access it the same way the retailer does.

      --
      This posting is provided 'AS IS' without warranty of any kind, implied or otherwise.
    4. Re:CYA by Art+Challenor · · Score: 2

      I'm not so sure that armoring POS systems is the cheaper option.

      The cheapest thing is to buy off politicians so that they can continue doing what they are currently doing, but shift the blame to the consumer. This, I assume, is the purpose of the legislation. (Cynicism is almost always the model with the most accurate predictions of political outcomes in the US).

    5. Re:CYA by TigerPlish · · Score: 3

      No, the Mom and Pop likely uses a 3rd-party payment processor.

      What, you thought *everyone* taking credit / debit payments have their own in-house?

      --
      The "Civilized World" jumped the shark ca. 1973.
    6. Re:CYA by fuzzyfuzzyfungus · · Score: 2

      I think this is just CYA. The government will set a minimum standard of security which the retailers will set as their default level and that way when a breach happens they can say, well we followed the government mandates, we should not be sued.

      I agree that this isn't some altruistic action motivated by concern over the poor consumers; but asking for regulation is something that also serves a secondary purpose: 'retail security' is a collective action problem: It costs money to do(best case, it costs money but at least you can do it unilaterally, as in the case of hardening your own network and backend; worst case it costs money and can't be done without industry-wide buy-in, as with replacing mag stripes with something less totally fucked); but the benefits are mostly invisible (customers only care how secure you are when you weren't secure enough and you get cracked; up until then, they don't know and don't care whether you are pitifully insecure and lucky or highly secure).

      Under these circumstances, it's difficult to justify unilateral improvements ("Hey, the nerds over in the cost center want more money because something, something, identity theft, yadda yadda. Tell them to STFU, it's cheaper just to 'apologize' and offer a free year of credit monitoring") and even more difficult to drive a coordinated, multi-actor, upgrade.

      If you lobby for a regulation, though, you can be assured that your competitors have to deal with the same hassle you are dealing with and are in a much better position to say "Hey! Other merchants, banks, and involved parties? Y'know those new regulations? Compliance will end up costing us all less if we just roll out something less broken, rather than individually slapping band-aids on our shitty systems."

      It's not elegant; but that is an additional use of regulation, aside from CYA.

    7. Re:CYA by CrimsonAvenger · · Score: 2

      Shouldn't the market solution be cheapest for the pure blooded capitalists of retail?

      Two things:

      1) Whatever makes you think that retail giants are "pure-blooded capitalists"?

      2) A sufficiently powerful government usually means that the cheapest solution to any problem is to buy favourable legislation.

      --

      "I do not agree with what you say, but I will defend to the death your right to say it"
  2. Er...lobbiest fails to do job, so panic? by xxxJonBoyxxx · · Score: 4, Insightful

    >> gridlock...nation's retailers

    Er...lobbiest fails to do job, so panic?

    >> they would bear the brunt of whatever legislation is passed....there are 47 different state-based security breach notification laws

    In other words, they want a single Federal law to replace all the state laws, which would do two things: 1) allow them to concentrate their efforts on watering down the federal law 2) take the ability for people to collect damages against it out of state courts and 3) reduce their notification costs because they would only do the bare minimum required by the federal law (e.g., filing it in a basement drawer marked with "beware the leopard"). I see no "brunt" here. (IANAL)

  3. Translation by Charliemopps · · Score: 2

    Translation: Please pass a law that dictates the minimum effort we are required to put forward so we can barely meet that very low bar and not get sued. As it is, we have to actually pay attention to security and update constantly. If you pass a law, it will be out of date in about 3 months... but hey! At least we can't get sued. And that's all that really matters.

    1. Re:Translation by mrchaotica · · Score: 4, Insightful

      There is a less pessimistic translation: "Please pass a law so that our competitors are forced to spend money securing their systems, so that we can justify doing so without fear of being out-competed."

      --

      "[Regarding the 'cloud,'] ownership was what made America different than Russia." -- Woz

  4. Re:Repeat with me by TigerPlish · · Score: 2

    So you'd rather have it so there are no Federal consequences for being a sloppy, lazy, bug-infested easy target?

    Sometimes regulation protect all of us, not just corporations. This could be one of those.

    OK, I have a non-regulated approach to fighting breaches: If your company is stupid enough to get breached, the banks and card issuers must block you from doing credit and debit card business again -- ever. Good luck with cash-only.

    Is that too cold-hearted for you? You'd rather have that instead of rules and consequences for data breaches?

    --
    The "Civilized World" jumped the shark ca. 1973.
  5. Shift the cost to the consumer ... by CaptainDork · · Score: 2

    The banks are not the point of contact for the consumer ... the retailer is. Banks AND retailers want the retailer to bear the cost so the retailer can pass it on to the consumer.

    Consumers, in one form or another, will be responsible for breaches.

    --
    It little behooves the best of us to comment on the rest of us.
  6. Gridlock by Anonymous Coward · · Score: 3, Funny

    Gridlock? Yes, the democrat Senate has prevented many bipartisan House bills from passing. It will be good to see the Senate in the hands of the GOP. Hopefully Obama won't continue the gridlock by vetoing bills.

    1. Re:Gridlock by oh_my_080980980 · · Score: 2

      You mean like the immigration reform bills tied up in the house that would pass if Boehner allowed a vote? Yeah keep promoting that canard....

  7. Retailers can improve security in one big way by Applehu+Akbar · · Score: 3, Interesting

    Just turn NFC back on while you wait for CurrentC to get off the ground and be tested sometime next year. It's already on your registers, and some of the NFC vendors have high-grade security that sharply reduces the risk of credit card breaches.

  8. Gridlock is so bad ... by RoccamOccam · · Score: 2

    The gridlock has been so bad that the American public has voted to fix it. Yay!