Legislation & Lobbying

Proposed bill would limit consumer lawsuits against retailers who comply with data-security rules

In the wake of massive security breaches that reportedly took place in recent months at Target, Nieman Marcus and, security experts say, probably other retailers as well, federal lawmakers have introduced a bipartisan bill that would impose new requirements on companies concerning the protection of confidential information related to credit and debit cards.

But, if it becomes law, the Data Security Act of 2014 would also reduce litigation against retailers who comply with new information-security requirements, WFSA reports.

“This legislation is designed, really, to hurt consumers. It prohibits, for example, private lawsuits. It prohibits class actions. It says you cannot sue under state law, even though the credit card companies and the hackers and everybody else may be violating state law,” consumer attorney Jere Beasley of Montgomery, Ala., told the station. “This act says specifically that you—a victim—cannot file a lawsuit under state law, and that is absolutely mind-boggling.”

The Beasley Allen law firm has filed class actions against Target on behalf of consumers who says they suffered losses as a result of the recent data breach, as another WFSA article details.

Introduced last week by Sens. Tom Carper (D.-Del.) and Roy Blount (R-Mo.), the Data Security Act would provide enhance consumer security by providing uniform national standards in place of a patchwork of state laws that now exist, according to a press release.

It would also require not only retailers but financial institutions and federal agencies to investigate security breaches and inform consumers, Credit Union Times reports.

Similar legislation is being pursued by other federal lawmakers, including Sen. Patrick Leahy, D-Vt., who chairs the Senate Judiciary Committee. This month, he reintroduced the Personal Data Privacy and Security Act, a bill that he has been seeking to enact for most of the past decade.

In addition to strengthening rules requiring companies to protect confidential consumer data and setting uniform national standards, his bill would provide for more severe criminal penalties against both computer hackers and those who conceal security breaches, Leahy said in a written statement (PDF) earlier this month.

The Hill’s Hillicon Valley page, as well as Government Security News and U.S. News & World Report, also have stories about the proposed new laws.

See also:

Bank Info Security: “Breach Notification Bills Pile Up in Senate”

Fox News: “Feds, police differ over whether Texas border arrests linked to Target breach”

NBC News: “Target estimates breach affected up to 110 million”

The Switch (Washington Post, reg. req.): “Prosecutors used this cybercrime law against Aaron Swartz. Now a senator wants to strengthen it.”

We welcome your comments, but please adhere to our comment policy and the ABA Code of Conduct.

Commenting is not available in this channel entry.