February 20, 2014



The threat of a "cyber Pearl Harbor" failed to inspire congressional action on cybersecurity, but recent data-breaches that affected over 100 million American consumers, including some in Iowa, just might prod Congress to do something.

Discussions on Capitol Hill have intensified on whether the federal government should require retailers like Target Inc. to tell their customers when hackers break in and steal credit- or debit-card data.

Iowa and 45 other states have data-breach-notification laws, meaning the retailers you patronize - and other places with access to your financial information - must tell you if their systems have been hacked and your personal data stolen.

Now the question is whether Congress should step up with a uniform national-notification requirement and whether that should be accompanied by some minimum level of security that companies must provide when consumers hand over their credit cards.

Iowa's Republican Sen. Charles Grassley could be a central player in making something happen on data-breach and security legislation.

"As far as the Senate's concerned, unless it's bipartisan, it isn't going anywhere," Grassley said in a Senate Judiciary Committee hearing this month.

"This isn't a case of a group of businesspeople on one side and the government on the other side," Grassley said. "We've got a major problem we have to deal with, and I think it's going to take cooperation."

The problem of valuable personal data being accessed and extracted from the places where people work and do business is playing out in communities across Iowa and the nation.

Police departments in northwest Iowa are receiving complaints about suspicious activity in consumers' credit-card accounts after the huge, holiday-season data breach at Target, KIWA Radio reported last week.

There are 22 Target stores in Iowa so it's no surprise that this highly publicized breach is hitting home in the Hawkeye State.

The Better Business Bureau reports that patrons of Affinity Gaming's casinos in Iowa were among the victims when cyber-thieves broke into that company's database last year and stole credit- and debit-card information.

Just recently, Iowans were among the victims when employee information was stolen from the databases of Olmstead Medical Center in Rochester, Minn.

The private sector is trying to get ahead of the issue. Retailers and financial institutions last week announced a joint effort to improve consumer-data security within an "ecosystem" that includes banks, stores, card companies, payment processors and others.

Retail and banking sector witnesses spoke positively during recent hearings about setting a federal breach-notification requirement, suggesting Congress could move in this direction without confronting massive opposition from business groups.

But to do so will require bipartisanship, as Grassley said, as well as creative thinking in terms of how the federal government spells out any new security requirements for businesses.

Grassley has not signed onto the consumer data-breach notification and security bill introduced by Judiciary Chairman Patrick Leahy, D-Vt., but Grassley has some ideas on how to proceed.

He spoke at the hearing about a partnership between the government and private sector and said the highly regarded National Institute of Standards and Technology could provide a model.

NIST, as it's known, works with industry on "best practices" in a variety of areas. Most recently the institute compiled a voluntary "framework of cybersecurity standards" that is the leading edge of the Obama administration's efforts to secure power plants, communications systems and other "critical infrastructure" against cyber attacks.

"When considering data-security requirements, our approach should provide flexibility and also account for businesses of different sizes and different resources," Grassley said at the Judiciary hearing. "(L)et's see how the government can partner with private business to strengthen data security."

Those words could've been lifted from President Obama's executive order last year directing the security experts at NIST to create the cyber framework.

So there is common ground that provides a good starting point for Congress and the White House to consider consumer-data protections.

There are differences too, naturally.

Grassley warned that "over-notification" of consumers could have a dulling effect and end up reducing security. But overall he seemed open to a bipartisan effort in Congress that produces a collaboration between government and business.

Chairman Leahy, Grassley's Democratic counterpart on the Judiciary Committee, said he agreed with that approach.

Let's see if Congress can do its part to give consumers the security they expect when swiping their cards.