Congress is currently considering legislation that would govern how businesses protect sensitive consumer data such as Social Security, driver’s license, bank account and credit card numbers, and how consumers are notified if that data is breached. NRF strongly supports creation of a uniform national data breach notification law that would replace the conflicting and confusing state laws in place across the country, but is concerned because some industries have sought to be exempted from the legislation.
NRF believes consumers would be best helped by a data breach law which ensures that consumers are notified no matter where a data breach might occur, whether it’s at a retailer, bank, credit card company, data service provider or elsewhere. NRF believes the new law should cover all entities that handle sensitive consumer data, and should not create or maintain an exemption from breach notification rules for any business.
Why it matters to retailers
According to a recent Verizon report, retail accounts for only 4.8 percent of data breach incidents while the financial services industry accounts for 24.3 percent. And U.S. government agencies ranging from the Army to the IRS see more than 70 breach incidents a day, according to the Government Accountability Office. But data thefts committed against retailers receive the most attention because retail stores are household names consumers know. In addition, many state data breach laws require only retailers to notify the public of breaches without requiring banks to do the same. That can lead to the incorrect assumption that retailers are responsible for the bulk of breaches and can leave consumers in the dark about hundreds of non-retail breaches each year that put them at risk of identity theft or financial harm.
In fact, protecting customers’ data is one of retailers’ top priorities. Retailers spend millions of dollars a year on data security, establishing extensive firewalls, hiring world-class cybersecurity experts and taking other steps. For example, an NRF survey shows that by the end of 2019, 80 percent of retailers expect to have adopted point-to-point encryption, which protects card data while it is being transmitted. And 89 percent will have adopted tokenization, which protects information stored in databases.
NRF advocates for data security
NRF is committed to finding broad, long-term solutions and to working with all parties involved to ensure that sensitive consumer information is protected. Data security is a perpetual game of high-stakes leapfrog where each new level of security devised by legitimate businesses is quickly overcome by criminals, so there is no single answer and no single industry that can provide 100 percent security. NRF believes data breach notification requirements are an important part of the solution because they provide a strong incentive to keep data secure and thereby avoid the bad publicity, loss of revenue, government fines and other consequences associated with a breach. Any industry that is exempt from notification has less incentive to protect consumers’ data.
The last time Congress voted on data breach legislation was in 2015, when the House Financial Services Committee approved a bill that would have made notification mandatory for retailers but voluntary for financial institutions. Even 2017’s massive Equifax breach could have remained secret had the measure become law. The legislation also would have imposed cumbersome security procedures intended for massive Wall Street banks on even the smallest retailers, a move former Federal Trade Commission officials said was inappropriate. NRF was able to keep the bank-backed measure from moving further, arguing that any data breach law should cover all businesses that handle consumer data, and that security requirements should match the type of data held. (Retailers typically possess credit card numbers but not the reams of highly sensitive financial details that banks amass on their customers.)
The Financial Services Committee revisited the issue earlier this year, and NRF made sure lawmakers were not pressured into passing a repeat of the 2015 bill. NRF worked closely with the committee to express retailers’ concerns, and joined with other business groups in a letter saying the legislation must “leave no holes in our system that would enable some industries to keep the fact of their breaches secret.” The letter said a data breach law must require all businesses that handle sensitive data to make notice of their breaches and should set “reasonable” security standards appropriate for the size and scope of a business and the nature of the data it handles. The letter also said the law should preempt existing state laws in order to set a uniform national standard, and should be enforced under the existing authority of the Federal Trade Commission.
NRF also worked with the House Energy and Commerce Committee, which attempted to develop a bill of its own and held a “listening session” where NRF and a cross section of industries that would be affected voiced their concerns. Like the Financial Services Committee, the Energy and Commerce Committee also approved legislation in 2015 that would have placed mandatory requirements on retailers, but its measure would have exempted telecommunications companies along with banks.
As of November, neither committed had approved a bill.