Shifting Blame on Identity Theft


The feds have had a recent set of screw-ups with data security, one involving a Department of Veterans Affairs employee who took home, and lost to theft, a database with personal information on 26.5 million people. One conclusion might be that it's a bad idea to let a guy working at the VA take home personal information on 26.5 million people. Another would be that the federal government should tell the private sector how to manage data security. As Wayne Crews and occasional Reason contributor John Berlau report over at NRO, legislation under consideration would impose one-size-fits-all, Sarbanes-Oxley-like data security regulations on every credit-card accepting business in the country:

…The bills go beyond most state rules requiring consumer notification and actually mandate that businesses follow specific practices and procedures for data security. As they have an incredibly broad definition of information brokers, it won't just be data warehouses like ChoicePoint that are subject to these rules, but the independent convenience store and home-based online seller as well.

The result:

Many small shops would stop taking credit cards, hindering their ability to grow and compete. Many home-based online businesses would never get off the ground.

Whole thing here.

Reason's January ish was chockfull of well-deserved SarbOx bashing. John Berlau looks at SarbOx and stifled speech here. Brian Doherty has more here.

NEXT: No Knock, No Problem

Editor's Note: We invite comments and request that they be civil and on-topic. We do not moderate or assume any responsibility for comments, which are owned by the readers who post them. Comments do not represent the views of or Reason Foundation. We reserve the right to delete any comment for any reason at any time. Report abuses.

  1. This act would force four small businesses I’m involved with in various roles to either knuckle under to whatever the Feds and State AGs determine, in their infinite wisdom, are “best practices,” or else shut down entirely, as they are all Web-based models.

    All so that Congress can stand up an bleat about how they’re Doing Something.


  2. As someone who works in payment processing, I should point out that Visa and MasterCard already have regulations in place regarding cardholder information security. Businesses that do not follow these strict regulations may face steep fines and even be banned from doing business with credit cards. This legislation would be a totally redundant waste of time. What a shock.
    For more info on an industry successfully policing itself, visit

  3. anon-

    Would it in fact be redundant, or would it be just different enough to create a whole new set of hassles?

    If it is truly redundant then compliance won’t be a big deal. If it is parallel but not quite redundant, then it will be horrible.

  4. No, it wouldn’t be redundant. In fact, most of the bills before Congress are specifically written to supersede state legislation. Folks in the computer security community are really worried that the new federal laws will make data holders much less careful than they are now, because the federal laws have weaker restrictions and requirements than existing state laws (particularly California’s law). Now one may quibble about whether we should have notification laws for things like social security number data leaks, but there are serious issues about lack of responsibility here.
    For example, people’s credit ratings are controlled by three private companies over which they have no control or influence, and who are not liable for incorrrect information. There’s probably a market solution, but I don’t know what it is..

  5. . . . three private companies . . . There’s probably a market solution, but I don’t know what it is..

    Gee, we have an oligopoly, but it would be better to have a true market with competition. What to do, what to do, what to do . . .

  6. While I agree that there’s an oligopoly, to the best of my knowledge, there are no government regulations on credit reporting agencies (or no more than there are on widget manufacturers). This is a topic I wish Reason would actually look into. The customers of Experian and the others (Ford, Sears…) are looking for ‘average’ accuracy in credit reporting, and have no stake in whether credit data of individuals is leaked (or even accurate, except overall). People whose data is being reported are not customers (and hence can’t go elsewhere), but are harmed when their data is leaked. Indeed, we need some kind of regulation about proper custodianship of sensitive data. But if we drive tiny web-based businesses under with regulations about how they guard credit card numbers that’s probably not the right solution.

  7. although credit ratings seem to me more like a natural monopoly situation, rather than a place for a market. If it is a natural monopoly (oligopoly, whatever), then the classic way to induce good behavior is by regulation.

    regulation . . . regulation . . . over which they have no control or influence, and who are not liable for incorrrect information.
    HEY, I just got an idea!

  8. The small businesses I shop with online and off seldom retain credit card info at all, swiping the card directly into a paytment processing company’s terminal. The seller passively receives the credit card number but doesn’t record it anywhere. Auditing of the transaction and refunds are handled either through a transaction number issued by the processor or, again, by swiping the same card on a terminal owned by the same processing company.

    Same goes for online payments through many, possibly most, online merchants these days and especially so for the small vendor selling through eBay or the like. That’s what PayPal is.

    I haven’t read the whole bill or even an abstract of it. This post and the NRO article it cites simply say the law is onerous. Is it? Does it place any new requirements on small business for direct online and in-person transactions, or just for transactions where the merchant foolishly retains the numbers and in the cases where the merchant is getting a credit card number on paper by fax or scribbled on a post-it over the phone? Does it cover online user databases that aren’t used for commerce, like message boards and things like MySpace?

    In the former case, ending some small bsuiensses’ stupid and useless practice of retaining credit card numbers on file when this data retention is cheaply subcontracted out as part of the payment processing they already pay for would be a good thing. For the second, well, if you’re gonna be storing credit card numbers in manila folders or a spreadsheet, maybe you should be expected to adhere to a burdensome set of data security practices, whether through law or threat of lawsuit in the event of a breach. And if it covers all user databases of any kind.. or if the bill puts measurable, pointless burdens on merchants who don’t retain the data in the first place.. well.. that would be bad. Yes.

  9. I’m not attacking all regulation here, but I wonder how much regulations like these, taken together, cost this country in productivity and growth? These sorts of unfunded mandates usually do more to make Congress look like it’s “doing something” about whatever problem than actually doing anything to solve the problem.

    Worse still, such laws and regulations are usually so poorly drafted and contain so many conflicting provisions that they require that TONS of money be spent on lawyers, consultants, accountants, and new, permanent personnel for ensuring ongoing compliance. Not to mention the huge IT and other costs that usually come with such laws.

    I’m okay with some of these laws to the extent that they require a company to disclose certain things. But the ones that make the companies into little mini-regulators/law enforcement agencies are particularly onerous, especially for smaller companies. I’ll bet that we blow half a trillion a year or more on this sort of thing. The total regulatory “friction” on the economy is probably in the multi-trillions. A year. Though I suppose the money doesn’t all disappear. But it’s not going directly into the hands of people who are actually producing anything useful.

  10. I’ll bet that we blow half a trillion a year or more on this sort of thing.

    fair point, but I think it is only fair to net out any transaction costs saved by the regulation. Using the present example of this credit card regulation, the cost of the regulation is that cost to businesses minus the cost of any credit card fraud that would have occurred absent the regulation.

    Often it can be hard to know what the costs would have been absent the regulation. If this regulation prevents enough frauds from occurring, then it is a boon economically, despite the fact that you can directly observe the cost side of the balance sheet instead of the saving, which are in the form of frauds that never occurred. this regulation may indeed be inefficient, but there is probably a temptation to jump too easily to that conclusion.

    Besides the question of whether the net doallr affect is positive or negative, there is also the question of the value of the way the costs are distributed by the regulation. What I mean is that we want customers to feel safe doing business with their cards. If credit card fraud is a sort of lottery where a few unlucky people absorb most of the damage, then it can be better to set up a scheme that prevents the fraud and distributes the cost of preventing the fraud evenly throughout the whole relevant community.

    Maybe this sounds silly, but a bit back Jersey, I miss Jersey :(, asked us what the value add of the health insurance industry was. Basically the answer we gave him was that the health insurance system was valuable because it distributed costs and benefits among and to healthcare consumers in a fair way. Similar idea, although this credit card regulation probably costs a lot less than the risk spreading apparatus part of the health insurance industry does.

Please to post comments

Comments are closed.