Retail Coalition Calls for Uniform Data Breach Notification Law
In the wake of the massive Equifax data breach, the National Retail Federation and other related associations have called on Congress to establish a uniform nationwide law regarding data breach notification.
“Every industry sector – whether consumer-facing or business-to-business – faces data security threats that may put consumer data at risk,” the associations said in a formal letter to Senate and House leaders Mitch McConnell, Paul Ryan, Chuck Schumer and Nancy Pelosi. “The fact is that hackers do not discriminate as to the type of business they attack.”
The more than 143 million consumer credit records hacked from Atlanta-based Equifax during May, June and July saw all sorts of personal data stolen – including social security numbers, credit cards, birthdates, addresses, drivers’ license information, and “dispute documents” from consumers contesting alleged credit violations. The breach was discovered on July 29 but not disclosed for more than a month.
The letter asked for a uniform national disclosure law to replace existing state laws, in addition to reasonable data security standards, Federal Trade Commission enforcement, and a requirement that all breached entities be obligated to notify consumers when they suffer a breach of sensitive information that creates a risk of identity theft or financial harm. Thus, this proposed law would have a significant impact on both security integrators themselves and their clients.
“To protect customers and ensure effective public policy, Congress should ensure that any federal breach notification law applies to all affected sectors and leaves no holes in our system for some industries that criminals can exploit,” the letter said.
The letter – signed by groups representing retailers, convenience stores, truck stops, gasoline stations, grocers, real estate agents, franchises and the travel industry – outlines four key principles for federal data security and breach notification legislation:
1. Establish Uniform Nationwide Law: First, with the fifty-two inconsistent breach laws currently in effect in 48 states and 4 federal jurisdictions, there is no sound reason to enact federal legislation in this area unless it preempts the existing laws to establish a uniform, nationwide standard so that every business and consumer knows the singular rules of the road. One federal law applying to all breached entities would ensure clear, concise and consistent notices to all affected consumers regardless of where they live or where the breach occurs. Simply enacting a different, fifty-third law on this subject would not advance data security or consumer notification; it would only create more confusion.
2. Promote Reasonable Data Security Standards: Second, data security requirements in a federal law applicable to a broad array of U.S. businesses should be based on a standard of reasonableness. America’s commercial businesses are remarkably diverse in size, scope and operations. A reasonable standard, consistent with federal consumer protection laws applicable to businesses of all types and sizes, would allow the right degree of flexibility while giving businesses the appropriate level of guidance they need to comply. Legislation taking this approach also would be consistent with the data security standard now used by the Federal Trade Commission (FTC) and all but a few state laws that have adopted data security requirements generally applicable to commercial businesses handling sensitive personal information.
3. Maintain Appropriate FTC Enforcement Regime: Third, federal agencies should not be granted overly-punitive enforcement authority that exceeds current legal frameworks. For example, absent a completed rulemaking, the FTC must bring an action requiring a business to stop behavior that the FTC deems to be a violation of law. The FTC cannot seek civil penalties until it establishes what a violation is. That process gives businesses notice of the FTC’s view of the law and is fair given the breadth of the FTC’s discretion to determine what is legal.
4. Ensure All Breached Entities Have Notice Obligations: Finally, businesses in every affected industry sector should have an obligation to notify consumers when they suffer a breach of sensitive personal information that creates a risk of identity theft or financial harm. Informing the public of breaches can help consumers take steps to protect themselves from potential harm. Moreover, the prospect of public disclosure of breaches creates greater incentives for all businesses handling sensitive personal information to improve their data security practices. Creating exemptions for particular industry sectors or allowing breached entities to shift their notification burdens onto other businesses will weaken the effectiveness of the legislation, undermine consumer confidence, ignore the scope of the problem, and create loopholes that criminals can exploit.
NRF has long called for a uniform federal data breach law to replace separate and often-conflicting laws in 48 states and the District of Columbia that are confusing for consumers and create compliance challenges for multi-state retailers. NRF has argued that the new federal law should cover banks, card processors, telecommunications companies and all other entities that handle sensitive consumer data, not just retailers. By contrast, banks and other industries have pushed for breach notification legislation that would subject retailers to stringent bank-style security rules while banks themselves would be subject only to discretionary guidance.
