House Hearing on Target Data Breach Focuses on Consumer Protection Bill

Updated: 02/25/2014 10:27 PM By: Stephen Tellier

If you're a victim of a data breach like the one at Target, what are your rights? And what should companies be required to do for you?

Those were just two of the questions asked by lawmakers at the State Capitol on the first day of the new legislative session, during a hearing on consumer protection issues.

Target officials were not on hand for the hearing, despite being invited to testify. So most of the discussion surrounded a new bill that was introduced on Tuesday.

It would thrill most data breach victims, but isn't thrilling some lawmakers.

"We really need to focus on consumers' privacy," said Rep. Dan Schoen, DFL-St. Paul Park, at the hearing.

Schoen's consumer protection bill would require retailers to notify customers of stolen information within 48 hours of a breach, offer free credit monitoring for one year, repay customers hit with fees, and provide all affected customers with $100 gift cards.

"I don't see where this bill really helps anything," said Rep. Greg Davids, R-Preston.

Several lawmakers criticized the gift card provision, which they fear would effectively shut down any small business hit with a breach. Think of it this way: If Target had to buy $100 gift cards for at least 40 million customers affected by its breach, that would total $4 billion, or nearly three weeks of revenue for the company.

"Those are job-killing gift cards, the way it sounds to me," Davids said.

"I included the $100 gift card really as a statement to say how serious this issue is," Schoen said.

Lawmakers also expressed concern that 48-hour notification isn't possible in many breaches, and that the bill focuses only on retailers. Many other businesses -- and government agencies -- can also be victimized.

Schoen said the bill is designed to send a message.

"Mainly, it's to encourage some enactment of prevention upon the retailers' part, because we're really trusting them with some of the most private data that you have," Schoen said.

The bill was not voted on Tuesday. That will likely happen in the next few weeks.