Today, Feb. 18, the California Assembly Judiciary and Assembly Banking and Finance Committees will gather for a joint hearing to discuss one of the more technologically complex problems the Legislature has tried to tackle: data security breaches of companies such as Target, Neiman Marcus and Yahoo.
During the first two weeks of December 2013, nearly 40 million Target customers might have had credit or debit card information stolen and another 70 million had personal information such as emails and addresses taken in the breach. Yahoo email accounts were hacked in late January. And Neiman Marcus revealed in January that 1.1 million credit cards were infected with malware last summer, resulting in at least 2,400 cards being used fraudulently. One of the most recent security breaches is believed to involve data from the company that manages franchises for Marriott, Hilton and Starwood Hotels, according to the New York Times.
“I think consumers are frightened,” said Assemblyman Bob Wieckowski, who chairs the judiciary committee, particularly in light of how much data that companies typically collect now. Wieckowski spoke with KQED’s Joshua Johnson about the hearing. For the lawmakers and for worried consumers, he said, there’s really just one question: “How is California law sufficient to protect them?”
Current state law focuses heavily on ensuring that retailers encrypt sensitive data, such as credit card numbers. Wieckowski said that the Legislature first passed a law in 2003 to require that consumers be notified if their data was hacked. Not much thought was put in, at the time, about data that didn’t need to be encrypted. But since that law was passed, Wieckowski said, “We’ve learned that maybe 70 million people’s personal data that Target is just assembling and holding — it’s not part of the point of sale. The hackers were able to get into their database and use this data.” While that kind of data — emails, phone numbers, addresses — tends to be viewed as not as sensitive as credit card numbers, it can affect credit reports and people’s lives, said Wieckowski. “Maybe a third of these people can be vulnerable to identity theft.”
The committees’ hearing will primarily feature speakers from the California Retailers Association, Visa and MasterCard, as well as consumer advocates. Notably, Target and Neiman Marcus representatives will be absent.
According to Wieckowski, both retailers were invited but turned down the invitation because of their own “ongoing investigations,” he said.
Much of the hearing will be focused on simply understanding the nature of the breaches, what can be done to minimize the harm and looking forward to where hackers are going. This can be challenging when payment methods, hacking techniques and technology are constantly changing.
“Maybe these breaches are inevitable,” said Wieckowski. “So maybe the question we need to ask (retailers) is what is the personal data they’re collecting on us?” Other states, like Minnesota, have laws that regulate how long a company can hold onto a consumer’s data. California could, theoretically, minimize that time period and change how personal data, which isn’t currently necessarily encrypted, has to be stored. In California, these kinds of data breaches are overseen by the attorney general’s office, but they can enforce only current California law. “I think our current laws are a bit dated. I think that goes without saying,” said Wieckowski.
Attorney General Kamala Harris released a study last year that found 2.5 million Californians had their data jeopardized by 131 breaches reported to her office.
There is one way to avoid the danger of your information being taken: Don’t give it out. “I tend to use cash now (versus) sliding my card at every opportunity I have,” said Wieckowski.