Retailers say data breach notification law should cover all affected businesses and 'leave no holes'

"No industry should be allowed to keep its data breaches secret."

NRF Vice President Paul Martino

WASHINGTON – Any new data breach notification law passed by Congress should cover all industries that handle consumer data and “leave no holes” that would allow events like last year’s Equifax breach to remain hidden, the National Retail Federation and other groups told lawmakers today.

“American consumers want to know if their data has been breached no matter where the breach occurs,” NRF Vice President and Senior Policy Counsel Paul Martino said. “No industry should be allowed to keep its data breaches secret.”

The House Financial Services Committee is scheduled to hold a hearing on data breaches on Wednesday, and NRF is concerned that the session will lead to a repeat of unsuccessful 2015 legislation that would have made notification mandatory for retailers but voluntary for financial institutions. Banks will be represented at the hearing but retailers have not been invited. NRF prefers the approach being taken by the House Energy and Commerce Committee, which held a “listening session” last week where representatives of a cross section of industries that would be affected by a breach law were allowed to voice their concerns.

In a letter sent to the Financial Services Committee today, NRF, NRF’s National Council of Chain Restaurants and other trade associations representing convenience stores, restaurants, truck stops, gasoline stations, grocers, real estate agents, franchises, hotels and the travel industry said they support a uniform federal law governing what business must do when credit card or other data is breached, but said it should apply to all businesses that handle sensitive consumer data.

“Every industry sector – whether consumer-facing or business-to-business – suffers data security breaches that may put consumer data at risk,” the letter said. “To protect consumers comprehensively wherever breaches occur, Congress should ensure that any federal breach notification law applies to all affected industry sectors and leave no holes.”

Citing the 2017 Verizon Data Breach Investigations Report, the letter noted that the financial services industry accounts for 24.3 percent of all data breaches while retail represents only 4.8 percent. More than 80 percent of all breaches take place in industries other than those signing the letter.

The letter asked for a uniform national law to replace existing state laws, establishment of “reasonable” data security standards, Federal Trade Commission enforcement, and a requirement that all breached entities be obligated to notify consumers when they suffer a breach of sensitive information that creates a risk of identity theft or financial harm.

NRF has long called for a uniform federal data breach law to replace separate and often-conflicting laws in 48 states and the District of Columbia that are confusing for consumers and create compliance challenges for multi-state retailers. NRF has argued that the new federal law should cover banks, card processors, telecommunications companies and all other entities that handle sensitive consumer data. By contrast, banks and other industries have pushed for breach notification legislation that would subject retailers to mandatory security rules while banks themselves would be subject only to discretionary guidance.

About NRF
NRF is the world’s largest retail trade association, representing discount and department stores, home goods and specialty stores, Main Street merchants, grocers, wholesalers, chain restaurants and Internet retailers from the United States and more than 45 countries. Retail is the nation’s largest private-sector employer, supporting one in four U.S. jobs – 42 million working Americans. Contributing $2.6 trillion to annual GDP, retail is a daily barometer for the nation’s economy.