NRF Wants Distinction on National Data Breach Notification Standard

June 8, 2007
Retailers group wants identity theft at retailers distinguished from other types of identity theft

WASHINGTON, June 6 -- The National Retail Federation today welcomed proposals for a national data breach notification standard, but said any new federal law should recognize the fact that retailers usually do not possess the private consumer data needed to commit identity theft.

"A uniform national data breach standard with strong preemption is the only way to ensure that all consumers are treated equally," NRF Senior Vice President and General Counsel Mallory Duncan said. "Preemption would also lessen the compliance burden for all businesses and allow for one clear notice to be given to all affected customers. Current state laws are generally written to cover residents of that state, not businesses that conduct business there. This means that under the current patchwork of state laws, even small businesses could conceivably run into a multi-state compliance burden just by having customers from another state."

Duncan, who testified at a House Small Business Committee hearing on how data security legislation could impact small businesses, said retailers typically possess the names and credit card numbers that make credit card fraud possible if breached, but not the Social Security numbers and other detailed information needed to commit identity theft. While identity theft can be difficult to resolve, most fraudulent credit card charges can be easily erased under the Truth in Lending Act requirements and other federal law, he said.

"The distinction between true identity theft and credit card account fraud is very important," Duncan said. "For most businesses, the most sensitive piece of customer information they posses is a credit card number. A data breach resulting in the loss of a credit card number may at worst lead to credit card fraud, which is easily detected and resolved, and not the more insidious crime of identity theft. As a result, legislation should treat the breach of account information differently that the breach of more sensitive data."

Duncan did not endorse a specific data breach notification bill, but NRF has supported the Federal Trade Commission's proposed "significant risk" standard rather than "reasonable risk" standards that could lead to over- notification and desensitize the public to cases that could pose a real risk.

Duncan said any legislation on data security should take into account both the type of data held by different businesses -- not imposing the same requirements on retailers, for example, as on financial institutions, which hold a full array of personal data -- and also their size.

"For data thieves, it literally is a numbers game," Duncan said. "They go where it is efficient to gather the greatest amount of useful electronic information. Most small businesses do not generally store these large caches of sensitive information that the thieves most value."

Similarly, extending data security laws to paper documents is unnecessary because would-be identity thieves are not likely to steal large quantities of paper documents when they can more easily acquire the data electronically, Duncan said.

Duncan said legislation requiring retailers who suffer a data breach to reimburse banks for the cost of reissuing credit cards is not needed because merchants' contracts with credit card companies and banks already require the party responsible for a data breach to cover associated costs.