Members of Congress, both Republican and Democrat, now say that Sarbanes-Oxley can be unduly burdensome on business. The law that, in the wake of an accounting panic, sailed through Congress in 2002 with few dissenting votes is now coming under scrutiny for its unintended consequences.
Yet Congress is close to passing another law that might result yet again in costly, prescriptive, one-size-fits-all mandates. And this law would have a much broader reach than Sarbanes-Oxley. This time the target is data security, and several bills sailing through House and Senate committees show that Congress has learned very little about the inherent problems of sweeping solutions.
After breaches at data brokers such as ChoicePoint, in which fake firms got access to sensitive customer data, Congress took up the serious issues of identity theft and when to notify customers that a data breach has occurred. Privacy groups called for federal rules for notification, and some businesses also supported these in the hopes that they would preempt differing laws among the states.
These private sector breaches have now been dwarfed by the apparent negligence of a government worker. According to the Department of Veterans Affairs, a VA employee took home a database that included sensitive personal information on 26.5 million veterans. The employee’s home was burglarized and the data was stolen, and now identity thieves may have access to data that includes veterans’ Social Security numbers and dates of birth. In the rush to show they’re doing something about this government failure, members of Congress may, ironically, try to quickly piece together several bills that mostly regulate private sector data practices.
Unfortunately, what has resulted so far is a series of bills that will be a burden on the economy and likely counterproductive for protecting data. This is because the bills go beyond most state rules requiring consumer notification and actually mandate that businesses follow specific practices and procedures for data security. As they have an incredibly broad definition of information brokers, it won’t just be data warehouses like ChoicePoint that are subject to these rules, but the independent convenience store and home-based online seller as well.
Under the Personal Data Privacy and Security Act, sponsored by Arlen Specter (R., Pa.) and Patrick Leahy (D., Vt.), any “business entity” that collects “sensitive personally identifiable information in electronic or digital form” on 10,000 or more U.S. people must have a data security program. In this bill that passed the Senate Judiciary Committee in November, there is no exemption even for non-profits. According to tech pundit Declan McCullagh, “[T]he definitions could cover … popular blogs that have thousands of registered users, … alumni organizations for schools, charities,” and many more types of groups that receive identifiers from credit cards to e-mail addresses.
As for the mandated procedures in Specter-Leahy, McCullagh writes, “[M]y sense is that these requirements will end up being another version of Sarbanes-Oxley, with the same destructive, wealth-eroding implications.” The bill commands that a firm, whatever the size, must implement a “risk assessment” to “identify reasonably foreseeable vulnerabilities,” “asses the likelihood” of data breaches, and conduct “regular testing of key controls.” These open-ended mandates seem to mirror the “internal control” requirements of Sarbanes-Oxley’s Section 404 that have been so costly to public companies.
The bill carries a maximum five-year prison term for “willfully” concealing a “security breach.” Notification of authorities and consumers of potential identity theft is very important, but it is sometimes difficult to determine if a breach has occurred and unauthorized people have had access to data. So, like Sarbanes-Oxley, Specter-Leahy would potentially criminalize honest mistakes.
In fact, there is considerable debate even among information technology professionals over what constitutes a breach and when notification is advisable. Some say that premature notification can falsely alarm consumers and alert hackers to a system’s vulnerabilities. For example, would the burglar or burglars in the Washington, D.C., area know that data from 26.5 million veterans was contained on what they stole if there had not been a public announcement? There are no easy answers, particularly for government agencies like the VA. In the private sector, however, contract arrangements and the threat of liability are a strong incentive for effective notifying practices. However, the prospect of jail time could make firms act out of fear rather than, and perhaps against, rational judgment.
A bill that unanimously passed the House Energy and Commerce Committee in March would cover an even broader range of businesses—nearly every firm in America that accepts credit cards. As described in a press release by the committee’s top Democrat, John Dingell, the bill “sends a clear message: If you can’t protect it, don’t collect it.” Under the Data Accountability and Trust Act, security programs would be required for “each person engaged in interstate commerce that owns or possesses data in electronic form containing personal information.” The firm would have to establish “a process for identifying and assessing any reasonably foreseeable vulnerabilities” subject to review by the government. The bill does instruct the Federal Trade Commission to consider costs and the size of a firm’s activities in tailoring its rules, but contains no exemptions based on the size of a firm.
Both bills also contain a bizarre enforcement mechanism. State attorneys general, many already known for their creative activist readings of state laws, would be allowed to sue firms in federal court for violations of a federal law. This is a form of what American Enterprise Institute legal scholar Michael Greve has called “cooperative federalism,” in which states are used as tools to arbitrarily increase the power of the federal government.
Drastic things could happen if these bills become law. Many small shops would stop taking credit cards, hindering their ability to grow and compete. Many home-based online businesses would never get off the ground. These might sound like overstatements, but few predicted upon passage of Sarbanes-Oxley that hundreds of solid firms would delist from U.S. exchanges. These schemes go even further in attempting to micromanage everyday routines not just at public companies, but at virtually all American businesses.
The most important probable consequence is that data could actually become even more vulnerable to hacking and cyber-attacks. This is because mandating that companies follow the best practices in data management would likely lead to the government picking winners and losers among security technologies. A budding Eliot Spitzer at the state level could sue to effectively outlaw a security program he deems as bad, and this would set national policy. This could hinder innovation from competing firms such as Symantec and Counterpane to provide the best security. And the resulting lack of variety in data protection practices could make it easier for hackers to acquaint themselves with the inner workings of most U.S. systems. While not opposing a federal data security mandate, Microsoft official Michael Hintze warned at a House hearing that “as technology advances and engineers respond to evolving threats to information security, a one-size-fits-all regime would likely and rapidly become obsolete.”
There are already strong incentives for firms to beef up their data security. Data theft causes a firm to lose valuable assets, and it deals a blow to the firm’s reputation. Right now, a variety of best practices are evolving through experience in e-commerce. Credit-card companies, for instance, through laws and their own consumer policies, are often liable for purchases made by means of identity theft. This encourages them to demand strong security practices at the retailers who take their cards. The private sector has a birds-eye view of specific cybersecurity problems and what to do about them. Recent innovations may explain why there have not been widespread reports of identity theft resulting from the highly publicized data breaches last year.
The VA fiasco also demonstrates one more reason why the government is in no place to instruct the private sector on specific policies. The VA is far from the only government entity that has experienced problems in protecting sensitive data. A congressional review shows that several other federal agencies don’t have such a hot record with data security.
Technology experts say many increased data vulnerabilities in the private sector stem from existing federal mandates forcing firms to store and keep voluminous amounts of e-mails and sensitive information. True, many firms do keep select data for marketing purposes, but laws like Sarbanes-Oxley mandate that many firms keep almost every e-mail on file in case there is ever a government investigation. And as Tom Nugent pointed out recently on NRO, “Not only were the companies involved required to keep these records, they were to demonstrate that they had put in place the mechanisms necessary to track these records.” The storage expense also leads to more transfers of data to third parties who specialize in maintenance of electronic records. Lots of data going through lots of hands increases the chance that data could be compromised. And since many of the people whom employees e-mail are a firm’s customers, the privacy of many people outside the business is affected by data-retention mandates.
Congress might reduce breaches by relaxing these document-retention requirements in laws like Sarbanes-Oxley. At the very least, Congress should learn from this behemoth, and not enact a law that could decimate electronic commerce in the name of saving it.