Retailers Want More From Data Breach Law

Retailers have requested that the House Financial Services Committee take a closer look at draft data breach notification legislation, saying it doesn’t do enough to ensure appropriate data security standards.

“The legislation being considered by the committee is an important step forward but has significant loopholes that would allow major data breaches to be kept secret from the public,” National Retail Federation Vice President and Senior Policy Counsel Paul Martino said. “We want to work with the committee to develop an airtight bill that covers all industries and ensures that all data breaches are subject to notification no matter where they occur.”

As the world’s largest retail association, the NRF wants a uniform federal data breach law to replace the separate, confusing and often-conflicting laws in 48 states and the District of Columbia. NRF believes that the new law should cover banks, card processors, telecommunications companies and all other businesses that come in contact with sensitive consumer data.

It should come as no surprise that banks and other industries would rather see legislation that enforces mandatory security rules for retailers, while subjecting financial institutions to only discretionary guidance.

The draft law, writes the NRF, “does not ensure that all breached businesses have obligations to investigate and provide notice to regulators and consumers of their breaches. Instead, the draft carves out exceptions from notice for three categories of businesses: “third parties;” “service providers;” and a large category of “financial institutions.”

According to NRF, this is worrisome since the 2017 Verizon Data Breach Investigations Report found that banks account for five times as many breaches as retailers. The association goes on to say that data security requirements should be “risk-based,” as well as consider the nature of businesses covered and the sensitivity of the data they handle.