Earlier this week I testified at a hearing of the House Small Business Subcommittee on Finance and Tax about the impact of proposed new data security regulations on small business, especially e-commerce retailers.
I reminded the lawmakers that it takes a thief to commit identity theft. When a laptop is left behind at an airport, or a data tape falls off the back of a truck, no crime is committed — until someone uses the information for a criminal purpose such as stealing credit card numbers or opening credit accounts in someone else’s name.
I wanted the subcommittee to understand that consumers aren’t the only victims of identity theft. So are businesses. In fact, businesses take the hit for $50 billion of the $55 billion that identity theft and credit card fraud costs every year. And I wanted the members to understand that regulatory compliance is especially difficult and expensive for small businesses, most of which are stretched so thin that they are often too busy fighting fires to take time to prevent them.
I doubt that we need new data security regulations in the first place, or that new laws will do much to curb identity theft. But whether I like it or not, it looks like new regulations are coming, so I offered the subcommittee some suggestions for how those regulations could be made more workable for small business.
Congress should create a single national standard for notification and data protection to replace the current patchwork of 35 different state laws. But while a national standard would be a big help, it should be drafted very carefully. For example, consumers should only be alerted to data breaches that pose a real risk of identity theft or credit card fraud. Over notification would only serve to de-sensitize consumers to truly risky situations when they do arise.
Merchants have cooperated with the card industry and banks to create a vibrant e-commerce market that would not be possible without credit cards. But now, some banks and credit unions want new laws that shift costs to merchants—whether or not they were negligent in losing data. Congress should not impose strict liability on businesses that have been victimized by a security attack or loss of data.
Business should be given incentives to make sure that lost or stolen data isn’t readable when it falls into the wrong hands. Encryption software is today’s solution, but new regulations should not lock-in today’s technology forever. When something better than today’s encryption comes along, business shouldn’t have to ask permission from federal regulators.
New regulations should be flexible enough for small businesses to comply, especially businesses that have never before been regulated. Overly prescriptive national standards won’t work, and we still need to remember that even flexible standards will be expensive for small businesses to meet.
Finally, regulators should not force small businesses to comply with new and more stringent data security rules until the government can identiy approved best practices to serve as a roadmap to compliance.