NRF proposes solutions to deal with cybersecurity threats, including breach notification law

Washington, D.C. -- The National Retail Federation on Wednesday presented Congress with what it termed “practical, commonsense and achievable solutions” to better protect consumers and help businesses prevent cyberattacks and data breaches, including passage of a uniform nationwide breach notification law applying to all entities that handle sensitive customer information.



“We should not be satisfied with simply determining what to do after a data breach occurs,” said NRF senior VP for government relations David French. “Instead, it is important to look at why such breaches occur and what the perpetrators get out of them so that we can find ways to reduce and prevent not only the breaches themselves but the follow-on harm.”



French outlined six proposed solutions during his testimony before the House Oversight and Government Reform Committee’s Subcommittee on Information technology, including:



• Expanding consumer liability protection for using debit cards;



• Issuance of PIN-and-Chip cards that incorporate both computer microchips and use of a personal identification number (PIN) to authenticate a transaction;



• Adoption of end-to-end data encryption throughout the payments system;



• Developing open source, competitive tokenization standards to replace sensitive data with unique and unusable tokens;



• Passage of a uniform nationwide breach notification law applying to all entities that handle sensitive customer information, and



• Bolstering federal law enforcement investigation and prosecution of cybercriminals.



NRF’s recommendations were first proposed in an open letter to President Obama published in advance of the White House Summit on Cybersecurity and Consumer Protection last month.



“These are proposals that we believe policy makers can work together to achieve in the near term, either through consumer and industry-supported legislation or by working with the private sector on improving security practices outside of the lawmaking process,” French said.



In his testimony, French also reiterated NRF’s opposition to legislative efforts to impose on retailers, merchants and other nonbank businesses and individuals, the same Gramm-Leach-Bliley Act (GLBA) data security regulations designed for banks.



“Without the cooperation of our partners in the financial system, we cannot alone affect the changes necessary to better defend and protect against cyberattacks that lead to payment card fraud,” French said. “We need to work together to do what we can to improve an aging and outdated payment system that is the principal target of cyberattacks affecting U.S. retail businesses and their customers.”