The National Retail Federation is once again making the case for a new federal law on data breach notifications.
Citing the recent breach at the Equifax credit reporting agency, National Retail Federation and other industry associations are telling Congress that any new federal law on data breach notification should apply to all industries that handle consumer data.
“The fact is that hackers do not discriminate as to the type of business they attack,” NRF and the other groups said
in a letter to House and Senate leadership of both parties. “Every industry sector – whether consumer-facing or business-to-business – faces data security threats that may put consumer data at risk.”
“To protect customers and ensure effective public policy, Congress should ensure that any federal breach notification law applies to all affected sectors and leaves no holes in our system for some industries that criminals can exploit,” the letter said.
The letter was signed by NRF, NRF’s National Council of Chain Restaurants, and associations representing convenience stores, truck stops, gasoline stations, grocers, real estate agents, franchises and the travel industry.
Citing the 2017 Verizon Data Breach Investigations Report, the letter noted that the financial services industry accounts for 24.3% of all data breaches while retail represents only 4.8%. More than 80% of all breaches take place in industries other than those signing the letter.
The letter asked for a uniform national law to replace existing state laws, reasonable data security standards, Federal Trade Commission enforcement, and a requirement that all breached entities be obligated to notify consumers when they suffer a breach of sensitive information that creates a risk of identity theft or financial harm.
NRF has long called for a
uniform federal data breach law to replace separate and often-conflicting laws in 48 states and the District of Columbia that are confusing for consumers and create compliance challenges for multi-state retailers. NRF believes that the new federal law should cover banks, card processors, telecommunications companies and all other entities that handle sensitive consumer data, not just retailers.
By contrast, banks and other industries have pushed for breach notification legislation that would subject retailers to stringent bank-style security rules while banks themselves would be subject only to discretionary guidance.