ST. PAUL, Minn. — Objections to a bill that would expand the victim-notification process after a retail or wholesale business data breach were strident and frequent during a hearing Tuesday afternoon of the Minnesota House commerce committee.
State representatives also doubted the wisdom of penalties extended to businesses that incurred the data breach under the bill authored by Rep. Dan Schoen, DFL-St. Paul Park.
The proposed bill would require notifying individuals whose information appears to have been stolen within 48 hours of the breach's discovery. Victims of data theft also would be offered free credit monitoring for one year within 30 days of the breach. And if those responsible for the breach are retailers or wholesalers of consumer goods or services, they must give the victim a $100 gift card that is valid for at least one year.
"That's $11 billion Target would have to pay," said Rep. Greg Davids, R-Preston, referring to the gift-card provision if Schoen's bill were law during the massive data breach that Target officials discovered in December. "Those are job-killing gift cards."
Experts say thieves gained access to hometown retail giant Target's data-storage systems during the holiday season, stealing about 40 million credit and debit card numbers and the personal information of as many as 70 million customers. Stolen data included names, email addresses, phone numbers and home addresses.
Schoen conceded that his gift-card idea was more a ploy to bring attention to restoring consumer confidence in the privacy of their personal information. He applauded Target's handling of the breach — which included one year of free credit monitoring — but said that cyber-incursion spurred the idea for his bill.
"I think we should fortify in statute one year of credit monitoring and encourage folks in business to do the right thing, which is protect our data," he said.
But many of his committee colleagues said businesses already were doing the right thing.
Rep. Sarah Anderson, R-Plymouth, asked whether the bill was redundant, saying what Schoen wants to codify already falls under the purview of the Minnesota attorney general.
"It looks like we already have remedy in place," Anderson said.
Several lawmakers, including Rep. Kurt Zellers, R-Maple Grove, asked whether public entities also would be covered under Schoen's bill. Though Schoen emphasized repeatedly that an "even playing field" should exist between the private and public sectors, it remains unclear whether the legislation would include government agencies, said Andrew Biggerstaff, a Minnesota House legislative analyst. The question would be conclusively answered only if and when a court ruled on it, Biggerstaff said.
Public entities also store people's private information, Zellers said, and their practices sometimes are "fast and loose."
Committee members who agreed with Zellers pointed out that MNsure has faced no consequences for a September data breach involving more than 1,000 Social Security numbers.