Part 7 of a 7-part report
CHICAGO -- Imagine a data breach at a c-store. Thousands of customers have had financial data stolen through the POS system. What happens next? It depends on which state or states the stores operate in.
“We have something of a patchwork quilt of data-breach privacy regulations in this country,” says John Browning, partner and shareholder with Passman & Jones, Dallas, who specializes in data privacy and network security. The variety of regulations related to how to respond to data breaches makes navigating the fallout that much more difficult, he says.
Forty-eight states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands have their own
legislation with different requirements for data-breach victims, according to the National Conference of State Legislatures. Congress is considering legislation to create a standard federal data-breach notification requirement and data-security standard.
For its part, NACS is working to ensure the legislation treats c-stores fairly, says Paige Anderson, director of government relations for NACS. Specifically, NACS wants Congress to push regulations that place appropriate notification obligations on telecommunication companies, banks, card networks and card processors vs. retailers.
The association also wants to ensure that industries such as financial services do not receive special treatment, and that the law gives businesses enough time to respond so that the Federal Trade Commission cannot penalize companies before they have a chance to be compliant.