WASHINGTON -- Multiple retail associations, including NACS, the National Grocers Association, the National Retail Federation (NRF) and others, are urging lawmakers to improve data-breach notification legislation currently moving through the House Committee on Financial Services.
These retail associations want to ensure that any legislation setting national data security standards does not exempt any industry, banks especially.
The draft bill leaves enforcement of breach notification laws for financial institutions up to federal banking regulators. Enforcement for any other company or entity would be handled by state attorneys general and the Federal Trade Commission.
“The legislation being considered by the committee is an important step forward but has significant loopholes that would allow major data breaches to be kept secret from the public,” NRF Vice President and Senior Policy Counsel Paul Martino said. “We want to work with the committee to develop an airtight bill that covers all industries and ensures that all data breaches are subject to notification no matter where they occur.”
The Gramm-Leach-Bliley Act of 1999 does not require financial institutions to disclose data breaches despite banks’ claims to the contrary, the NRF said. Furthermore, regulatory banking guidance issued in 2005 leaves the decision of whether to disclose data breaches to the banks themselves, according to the NRF.
Aside from the above directives, there is currently no government-set national standard for data security. Instead, any data-breach victims must adhere to the laws of whatever state those affected by the data breach reside in. This patchwork method can pose a serious headache for both regulators and companies hit with data breaches trying to navigate through the layers of confusing and sometimes contradictory requirements between states, the retail associations said.
“To be effective, federal data security and breach notification legislation should apply nationwide, set reasonable data security standards, maintain an appropriate enforcement regime and ensure that all breached entities have notification obligations, regardless of industry,” read a recent letter from Paige Anderson, the director of government relations for NACS, to the chairman and a ranking member of the House Committee on Financial Services.
Massachusetts Attorney General and Data Privacy and Security Unit Chief Sara Cable said the bill only requires companies subjected to data breaches to inform consumers if the company determines harm has been done, according to Forbes. Cable said most current state laws mandate that consumers must be informed of a breach if the company determines the breach poses a future risk of harm.
There is also a provision in the draft bill stating that regulators would only require a data breach notification if at least 5,000 residents of a particular state were affected. Cable told legislators that less than 1% of the more than 3,800 data breaches reported to her office alone last year would meet that threshold. “This bill will leave consumers in a worse position than the status quo,” she said.
Forbes also reported that Jason Kratovil, a lobbyist for a trade group representing America’s biggest banks, praised the draft bill and said that it set a high bar for data protection without imposing excessive costs on small businesses.