Rapid adoption of mobile payments against a backdrop of major data security breaches has renewed concerns in Congress about efforts to protect consumers against the misuse or theft of private information, such as account numbers or shopping habits. During hearings held in both the House and the Senate in May 2011, lawmakers put businesses on notice that they are closely monitoring these dual situations and that they intend to legislate protective remedies if pressed.
Protecting consumer data in a mobile world
Since ISOs and merchant level salespeople (MLSs) have direct relationships with merchants, they play an important role in ensuring consumer payment data remains secure.
"Merchants really do need someone in their ecosystem to give them expert assistance and guidance and real-time support," said Tim Cranny, CEO at Panoptic Security Inc. "And the bottom line is either the ISOs need to do that themselves or they need to partner with someone who can do that for them on their behalf."
The default scenario for the industry has become ISOs partnering with third-party data security providers, according to Cranny. But that doesn't absolve ISOs from keeping abreast of data security concerns and educating merchants on the topic."
We've seen from a long history that the best results are where the ISOs or MLSs don't disengage," he said. Cranny noted that, from a Payment Card Industry Data Security Standard perspective, securing mobile payments has much in common with how e-commerce systems are secured.
"It does have some unique characteristics," he said. "So it is definitely new. It is definitely important. But it's not completely unheard of and revolutionary. It's just a variation on a theme." Cranny added that it is important for ISOs and MLSs to be exposed to the spectrum of data security and mobile POS solutions available.
"You can't dictate a single or a small number of solutions to ISOs because that would limit their traction with merchants," he said.
"So part of the story has to be - whatever the merchant comes to the table with, we need to help and give insight and guidance. So rather than make them into a square peg, we provide all the different shapes to provide for all the different eventualities."
"Consumers continue to lose more control over their personal information, and smart phones are part of this trend as they become more versatile," Sen. Mark Pryor, D-Ariz., said during a May 19 hearing before the Senate Committee on Commerce, Science and Transportation Subcommittee on Consumer Protection, Product Safety and Insurance.
"Until there are basic parameters and best practices in place, I have a real concern this problem will only get worse."
In addition to general consumer privacy concerns, lawmakers have said they are concerned about the use of geo-tagging, which uses Global Positioning System coordinates to pinpoint and store information about where people go with their smart phones. Recent reports suggest several of these devices can be used to collect such information without users' knowledge or consent.
"Like many Americans, I am deeply concerned about the recent reports that the Apple iPhone, Google Android Phone and other mobile applications may be collecting, storing and tracking user location data without the user's consent," Sen. Patrick Leahy, D-Vt., and Chairman of the Senate Judiciary Committee, said at the start of a May 10 hearing before that panel's Subcommittee on Privacy, Technology and the Law. "I am also concerned about reports that this sensitive location information may be maintained in an unencrypted format, making the information vulnerable to cyber thieves and other criminals."
In early June, Leahy introduced the Personal Data Privacy and Security Act, a bill he has introduced in three previous sessions of Congress. The bill proposes strict data protection requirements on businesses that collect and store sensitive personal information about consumers, and standards for national data breach notification, among other things. Leahy said recent reports of data breaches, in both government and the private sector, "are clear evidence that developing a comprehensive national strategy to protect data privacy and security is one of the most challenging and important issues facing our country."
Meanwhile, Sen. Al Franken, D-Minn., Chairman of the Judiciary Committee's Subcommittee on Privacy, Technology, and the Law, wants Apple Inc. and Google Inc. to require clear and understandable privacy policies for all mobile phone applications. He also wants Facebook to halt plans to permit application providers to access users' home addresses and phone numbers. And he has asked the Department of Justice for an official clarification of the DOJ interpretation of federal laws protecting personal data.
"Requiring that each app in your stores have a clear, understandable privacy policy would not resolve most of the privacy concerns in the mobile market," Franken wrote in letters to Apple Chief Executive Officer Steve Jobs and Google CEO Larry Page. "But it would be a simple first step that would provide users, privacy advocates and federal consumer protection authorities a minimum of information about what information an app will access and how that app will share that information with third parties."
Franken told the technology executives that, at minimum, all location-aware applications for smart phones should be bound by privacy policies that tell consumers what kind of location information is being gathered, how that information is used and how the information is shared.
"Apple and Google have each said time and again that they are committed to protecting users' privacy," Franken wrote. "This is an easy opportunity for your companies to put that commitment into action."
Privacy in legislative spotlight
Congress has debated issues involving consumer privacy, generally, and financial privacy, in particular, for generations. Debate has intensified in recent years, however, because rapidly evolving technologies - such as the Internet and mobile communications - are creating new vulnerabilities.
Today, more than a dozen bills are pending in the House and the Senate that address data security and breaches. Here's a list of some of the pending legislation.You can keep track of these bills, along with other legislation of concern to the payments industry's feet on the street, on The Green Sheet's Legislative Roundup page found under the Resources tab at www.greensheet.com.
Sen. John (Jay) Rockefeller, D-W. Va., turned up the heat on mobile companies during a May 19 hearing before the Senate Commerce Committee Subcommittee on Consumer Protection, Product Safety and Insurance.
"The question of whether private information - known only to the person holding this device - is being collected or shared with others is critical. I think anyone who uses a mobile device has an expectation of privacy, and sadly that expectation is not always being met," said Rockefeller, Commerce Committee Chairman. "The mobile marketplace is so new and technology is moving so quickly that many consumers do not understand the privacy implications of their actions. But one thing is clear - consumers want to understand and have control of their personal information."
To executives of Facebook, Google and Apple, who had been called to testify at the hearing, Rockefeller said, "You can't simply say 'it is not my problem.' I ask you to work with application developers, both large and small, to create better privacy notices and controls that work in the mobile world. This effort should make strong privacy policies and practices for mobile apps the norm, not the exception."
Rockefeller has authored legislation, the Do-Not-Track Online Act of 2011, that would authorize the Federal Trade Commission to allow consumers to stop online tracking of their personal information.
In response to the subcommittee's probing, executives from Facebook, Google and Apple said they were committed to protecting consumer privacy and described efforts that are under way to enhance privacy protections. But they cautioned lawmakers against limiting their investigative and legislative efforts to the mobile market.
Google Director of Public Policy Alan Davidson said any comprehensive approach to a privacy policy must include even-handed application to all personal data regardless of the source or the means of collection. He also urged lawmakers to consider the costs and benefits of regulations that might result from legislation, including any actual harm to users and compliance costs. Witnesses reminded legislators that while privacy issues remain a legitimate concern, location information and smart phone identifications are useful and popular consumer tools.
Morgan Reed, Executive Director of the Association for Competitive Technology, said, "The use of location information and smart phone IDs are providing immense value to consumers. Banning the collection of location data would essentially outlaw these beloved consumer apps while doing nothing to address the big questions about data collection and how that data is used. We need to outlaw bad behavior, not good technology."
Facebook Chief Technology Officer Bret Taylor also testified. "Facebook is fundamentally about sharing, and adopting overly restrictive policies will prevent our social features from functioning in the way that individuals expect and demand," he said. "We not only need to innovate to create new protections for individuals' information; we also need to innovate to ensure that new protections do not interfere with people's freedom to share and connect."
David Vladeck, Director of the FTC's Bureau of Consumer Protection, was also called to testify and assured the panel that protecting consumer privacy remains an FTC priority.
Meanwhile, on the other side of Capitol Hill, the House Energy and Commerce Committee Subcommittee on Commerce, Manufacturing and Trade, launched an investigation into the recent breach at Sony Corp., which compromised the personal information of more than 100 million Sony PlayStation users.
Congresswoman Mary Bono-Mack, Subcommittee Chairman, fired off a letter to Sony demanding answers to concerns raised by the breach. But the company declined to elaborate.
"We are very reluctant to release certain investigative information publicly because it is the subject of an ongoing criminal investigation, and because its disclosure could jeopardize the security of other network systems, not just our own," Sony Computer Entertainment America Chairman Kazuo Hirai wrote in response.
"But just as individuals and businesses have come to rely on multiple law enforcement agencies for physical protection, we believe the private sector will need the assistance and support of government and law enforcement to help secure e-commerce and IT systems to stay ahead of and curtail the activity of cyber criminals and cyber terrorists," Hirai stated.
Subcommittee member Rep. Greg Walden, R-Ore., agreed there is ample blame to share. "There is concern that Americans don't have adequate understanding or control over how information about them is collected, used and disseminated in the web, especially as the web migrates to smart phones and tablets," he said.
"Whatever approach we ultimately take, we will strive to create a competitively and technologically neutral approach that both affords consumers protection and preserves innovation."
Sony Network Entertainment International President Tim Schaaff pointed out that any legislative remedies need to balance public information requirements with the need not to so overwhelm consumers with false alarms that the warnings are ignored.
"Laws - and common sense - provide for companies to investigate breaches, gather the facts, and then report data losses publicly," Schaaff said. "If you reverse that order - issuing vague or speculative statements before you have specific and reliable information - you either confuse and panic people without giving them useful facts, or you bombard them with so many announcements that they become background noise."
Chairman Bono-Mack indicated she is working on legislation setting forth federal data security and data breach notification requirements.
The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.
Prev Next