Data security is an issue that is top of mind for both retailers and their customers, and one that touches every sector of the economy. That’s why NRF has advocated for years for real security solutions that protect sensitive consumer information.
With new legislative efforts underway in Congress, we can’t miss this opportunity to truly secure consumer data. It is important that any federal legislation reflects the realities of data security in the 21st century and is ultimately in the best interest of the American people. Congress should keep these five points in mind as it considers the latest round of data breach bills:
1. Breaches happen everywhere.
Hackers don’t discriminate, but there’s one industry that has the most breaches: financial services. In fact, roughly a quarter (24.3 percent) of all data breaches occur at banks, credit unions and other financial institutions, according to the 2017 Verizon Data Breach Investigations Report. That’s the largest share of any sector of the economy and five times as many as retailers (4.8 percent), despite there being far more retailers than banks. A comprehensive federal breach bill should cover every business that handles sensitive personal information, and should not exempt the industry that suffers the most breaches.
2. Consumers deserve notification wherever a breach occurs.
For more than a decade, NRF has pushed for a uniform, national breach notification law that would require all businesses in every industry to notify individuals whose information is stolen. Such a law would replace the patchwork of confusing and conflicting state laws in place across the country — most of which apply to retailers but exempt banks. Financial institutions, however, have consistently asked for special treatment. Not only do they want a way around state laws, they want to be exempted from any federal disclosure requirements. In other words, they want zero accountability for their breaches. That’s not fair to American consumers, who wouldn’t be notified even if another massive data breach like the one last year at Equifax occurred again. All businesses should report security breaches that put consumers at risk.
3. Under current law, banks are allowed to keep their breaches secret.
The financial services industry operates under the Gramm-Leach-Bliley Act, a 1999 banking law governing data security. That law was passed before data breaches were an issue, and had no requirement at all for data breach notification. Regulatory “guidance” tacked on in 2005 says banks “should” make notice of data breaches but not “must,” meaning there’s no mandatory requirement for banks to disclose their breaches. Congress should close this gap that lets financial institutions keep a quarter of all breaches secret from the public.
4. Retailers take data security very seriously and already comply with hundreds of requirements.
Retailers spend millions of dollars each year on data security to protect customer information. An NRF survey found that by the end of 2017, 93 percent of retailers expected to adopt point-to-point encryption, which protects card data while it is being transmitted. Moreover, every merchant that accepts credit cards must comply with hundreds of complex security rules established by the financial services industry through the Payment Card Industry Security Standards Council. The Federal Trade Commission also has authority to hold retailers accountable for failure to employ data security practices that are reasonable and appropriate for their business. Unlike bank and credit union regulators, which have failed to bring any actions against financial institutions for hundreds of breaches in recent years, the FTC routinely brings enforcement actions against businesses under its jurisdiction.
5. Improving payment security would help discourage data breaches.
New EMV chip-and-signature cards do not stop data hacking. While the chip is hard to forge, that does not stop fake cards from being used in stores or stolen card numbers from being used online. That means the incentive for criminals to steal card numbers remains. But if U.S. banks were to issue chip-and-PIN cards, which require the use of a secure, secret personal identification number to approve a transaction, stolen card numbers could be rendered useless both in stores and online, and the incentive to steal card data could be dramatically reduced. PINs are already standard on EMV chip cards in the rest of the world, and for many years have been required to take money out of an automated teller machine. Requiring ATM-level security for credit and debit card purchases should be part of the solution for preventing data breaches.