'New Scheme' on Data Security Could Bring More Red Tape for Small Businesses
Editors Note — December 15, 2015:
The House Financial Services Committee voted 46-9 on December 8 to approve legislation that would impose bank-style data security rules on retailers and other non-bank businesses. The measure still requires approval of the House Energy and Commerce Committee before it can move to the House floor.
NRF ran a full-page advertisement on Capitol Hill urging members of Congress to reject the bill. Details of the measure are below.
NRF is telling Washington that a proposal to apply bank-style regulations to small businesses in an attempt to improve credit and debit card data security is the wrong approach.
“Everything about the Neugebauer-Carney plan is wrong,” NRF Senior Vice President for Government Relations David French said. “Banks have tough rules because a criminal hack could drain customer accounts in an instant and threaten the safety and soundness of the entire financial system. That’s appropriate for banks. But the small businesses Neugebauer and Carney want to regulate simply don’t pose the same kind of risk.”
House Financial Institutions and Consumer Credit Subcommittee Chairman Randy Neugebauer, R-Texas, and fellow Financial Services Committee member Representative John Carney, D-Del., introduced H.R. 2205, the Data Security Act of 2015, earlier this month.
The bill would apply security standards based on 1999’s Gramm-Leach-Bliley Act to virtually all businesses that handle card data or a wide range of “sensitive personal information.” Companies would be required to designate at least one employee to manage safeguards, conduct a risk analysis, create a plan to safeguard the data and regularly assess and update the plan in light of risks and as technology evolves. Notification of consumers about data breaches would be mandatory.
The legislation has been assigned to both the House Financial Services Committee and the House Energy and Commerce Committee and could see action this summer.
Newspaper ads run by NRF in the two lawmakers’ congressional districts warn local businesses, “More federal regulation could be coming your way if Congressman (Neugebauer or Carney) gets his way.”
“Big-Bank Rules are NOT for small business,” the ads say.
French compared the proposal with a 2007 law intended to limit identity theft that would have required virtually every business to create a compliance plan even if they posed little risk. Once the “outrageous scope” of the plan became apparent, it was rolled back in 2010.
“Rather than wasting time with a new scheme to regulate Main Street businesses already busy just trying to stay afloat, Congress should take concrete steps to make sure the credit card cartel finally does the right thing and makes its cards secure,” French wrote.
French asked why the United States is the last nation to get chip-based cards that have been used around the world for nearly 20 years, and said the new cards should include the use of personal identification numbers in addition to chips.
The overwhelming majority of retailers are small businesses, with more than 98 percent of all retail companies employing fewer than 50 people. See how small retailers contribute to their communities and the economy: Access the latest news and resources for small business retailers.