The National Retail Federation and other industry associations are telling Congress that any new federal law on data breach notification should apply to all industries that handle consumer data, citing the recent breach at the Equifax credit reporting agency.
“The fact is that hackers do not discriminate as to the type of business they attack,” NRF and the other groups said in a letter to House and Senate leadership of both parties. “Every industry sector – whether consumer-facing or business-to-business – faces data security threats that may put consumer data at risk.”
“To protect customers and ensure effective public policy, Congress should ensure that any federal breach notification law applies to all affected sectors and leaves no holes in our system for some industries that criminals can exploit,” the letter said.
The letter was signed by NRF, NRF’s National Council of Chain Restaurants, and associations representing convenience stores, truck stops, gasoline stations, grocers, real estate agents, franchises and the travel industry.
Citing the 2017 Verizon Data Breach Investigations Report, the letter noted that the financial services industry accounts for 24.3 percent of all data breaches while retail represents only 4.8 percent. More than 80 percent of all breaches take place in industries other than those signing the letter.
The letter asked for a uniform national law to replace existing state laws, reasonable data security standards, Federal Trade Commission enforcement, and a requirement that all breached entities be obligated to notify consumers when they suffer a breach of sensitive information that creates a risk of identity theft or financial harm.
Equifax announced last week that it had been the victim of a massive data breach that compromised information ranging from names to Social Security numbers for as many as 143 million individuals. The breach, which began in mid-May, was discovered on July 29 but not disclosed for more than a month.
NRF has long called for a uniform federal data breach law to replace separate and often-conflicting laws in 48 states and the District of Columbia that are confusing for consumers and create compliance challenges for multi-state retailers. NRF has argued that the new federal law should cover banks, card processors, telecommunications companies and all other entities that handle sensitive consumer data, not just retailers. By contrast, banks and other industries have pushed for breach notification legislation that would subject retailers to stringent bank-style security rules while banks themselves would be subject only to discretionary guidance.