WASHINGTON, March 7, 2018 – The National Retail Federation today told the House Financial Services Committee that draft data breach notification legislation needs additional work to ensure that appropriate data security standards are set and that no industries that handle sensitive data are exempt.
“The legislation being considered by the committee is an important step forward but has significant loopholes that would allow major data breaches to be kept secret from the public,” NRF Vice President and Senior Policy Counsel Paul Martino said. “We want to work with the committee to develop an airtight bill that covers all industries and ensures that all data breaches are subject to notification no matter where they occur.”
The committee is scheduled to hold a hearing this afternoon on legislative proposals on data breach, including a draft bill released last month. NRF and other business groups said in a letter to the panel that the draft would exempt financial institutions and a poorly defined group of “service providers,” sets “one-size-fits-all” data requirements rather than tailoring rules for the type of data a business holds, and would require the Federal Trade Commission to take a “punitive” approach to enforcement where fines could be imposed even before standards are set.
In a separate statement submitted to the committee, NRF said the Gramm-Leach-Bliley Act of 1999 does not require financial institutions to disclose data breaches despite banks’ claims to the contrary. While the law does set standards for data security for financial institutions, it does not address breaches, and regulatory banking guidance issued in 2005 leaves the decision of whether to disclose beaches to banks’ discretion.
NRF said including banks under mandatory notification requirements is important because they account for five times as many breaches as retailers, according to the 2017 Verizon Data Breach Investigations Report. Unlike other studies cited by banks, the Verizon report includes breaches in a wide variety of industries, not just those that are legally required to report their breaches.
NRF said data security requirements should be “risk-based” and consider the nature of businesses covered and the sensitivity of the data they handle. Instead, the draft legislation would impose regulations designed for the nation’s largest Wall Street banks on small Main Street businesses that handle little sensitive data.
NRF also said U.S. banks should issue chip-and-PIN credit cards, which can help reduce data breaches by reducing the incentive for hackers to steal card data. The chip-and-signature cards currently issued do not stop card numbers from being used either in stores or online, meaning that the incentive to steal numbers remains.
NRF has long called for a uniform federal data breach law to replace separate and often-conflicting laws in 48 states and the District of Columbia that are confusing for consumers and create compliance challenges for multi-state retailers. NRF has argued that the new federal law should cover banks, card processors, telecommunications companies and all other entities that handle sensitive consumer data. By contrast, banks and other industries have pushed for breach notification legislation that would subject retailers to mandatory security rules while banks themselves would be subject only to discretionary guidance.