Skip to main content

Retailers want gaps in data breach notification bill fixed

Retailers are fighting for tighter data breach notification legislation.

Retailers, along with the National Retail Federation, told the House Financial Services Committee on Wednesday, March 7, that additional attention is needed when drafting data breach notification legislation. Specifically, they want to ensure that appropriate data security standards are in place, and that no industries that handle sensitive data are exempt.

The committee is slated to meet Wednesday afternoon on legislative proposals regarding data breaches, including a draft bill released last month. According to a letter addressed to the panel, the draft currently exempts financial institutions and a poorly defined group of “service providers.”

It also sets “one-size-fits-all” data requirements rather than tailoring rules for the type of data a business holds. Finally, it would require the Federal Trade Commission to take a “punitive” approach to enforcement where fines could be imposed even before standards are set.

“The legislation being considered by the committee is an important step forward, but has significant loopholes that would allow major data breaches to be kept secret from the public,” said NRF VP and senior policy counsel Paul Martino. “We want to work with the committee to develop an airtight bill that covers all industries and ensures that all data breaches are subject to notification no matter where they occur.”

In a separate statement from the committee, NRF said the Gramm-Leach-Bliley Act of 1999 does not require financial institutions to disclose data breaches despite banks’ claims to the contrary. While the law does set data security standards for financial institutions, it does not address breaches. Further, regulatory banking guidance issued in 2005 leaves the decision of disclosing beaches up to the impacted bank.

NRF believes including banks under mandatory notification requirements is important because they account for five times as many breaches as retailers, according to the 2017, according to the “Verizon Data Breach Investigations Report.” The study includes breaches in a wide variety of industries, not just those that are legally required to report their breaches.

NRF said data security requirements should be “risk-based,” and consider the nature of businesses covered, and the sensitivity of the data they handle. Instead, the legislation draft imposes regulations designed for the nation’s largest Wall Street banks onto small Main Street businesses that handle little sensitive data.

NRF also said U.S. banks should issue chip-and-PIN credit cards — which reduces the incentive for hackers to steal card data — to help reduce data breaches. Existing chip-and-signature cards do not stop card numbers from being used either in stores or online, meaning that the incentive to steal numbers remains.

These are not new suggestions from the NRF. Rather, the organization has long called for a uniform federal data breach law to replace separate, and often-conflicting, laws in 48 states and the District of Columbia. Overall, NRF argues that the new federal law should cover banks, card processors, telecommunications companies and all other entities that handle sensitive consumer data.
This ad will auto-close in 10 seconds