NRF identifies flaws in data breach bill

In a March 7, 2018, meeting with U.S. House Financial Services Committee members, the National Retail Federation urged the committee to rewrite proposed legislation pertaining to data breach notifications. The NRF, which has long pushed for uniform data breach legislation, called the bill a good effort that falls short of protecting retailers. At issue are a "one-size-fits-all" approach and overly protective stance toward select parties, according to NRF Vice President and Senior Policy Counsel Paul Martino.

Martino found loopholes in the bill's first draft that he claimed would exempt financial institutions and third-party service providers from punitive actions, as well as allow organizations to hide major data breaches from public view. "We want to work with the committee to develop an airtight bill that covers all industries and ensures that all data breaches are subject to notification no matter where they occur," he stated.

Proposed guidelines introduced by Reps. Blaine Luetkemeyer and Carolyn Maloney call for federally enforced data security and data breach notifications overseen by the Federal Trade Commission. Ideally, these uniform protections would create a flexible, technology-neutral data security standard. They would also require breached parties to notify consumer and law enforcement immediately when personal information has been stolen or compromised.

Four critical principles

In a March 7, 2018, letter, the NRF and other retail organizations, collectively representing more than a million U.S. consumers, petitioned the House Financial Services Committee to include four critical principles in the proposed data breach legislation: create a uniform, national law; set reasonable security standards; maintain appropriate enforcement; and notify all breached entities. They also brought up the following issues:

• Breach notice: The draft bill does not ensure that all breached businesses have obligations to investigate and provide notice to regulators and consumers.

• Data security: The draft legislation sets data security requirements that are unreasonable and inappropriate for millions of commercial businesses.

• FTC enforcement: The draft legislation modifies the FTC's traditional enforcement powers so that its actions can be punitive, and the Commission could exact fines even before data breach specifics have been established.

Call for equal responsibility

In addition, the authors voiced concerns that the legislation sets an "immediate" standard for notice that they believe may be unachievable. The letter was signed by the following parties:

• International Franchise Association
• National Association of Convenience Stores
• National Association of Truck Stop Operators
• National Council of Chain Restaurants
• National Grocers Association
• National Restaurant Association
• National Retail Federation
• Petroleum Marketers Association of America
• Society of Independent Gasoline Marketers of America
• U.S. Travel Association

NRF representatives maintained that varying approaches to data breach enforcement in 48 states are inconsistent and conflicting, which can be confusing for consumers and multistate retailers. The association is calling for a uniform federal law that holds banks, card processors, telecommunications companies and other entities equally responsible for managing sensitive consumer data.

Editor's Note:

The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.