Congress needs to pass a strong and effective federal data breach notification law that applies to all entities that handle sensitive customer data, the National Retail Federation said on March 18 before a congressional panel examining draft data security legislation.

“If Americans are to be adequately protected and informed, federal legislation to address these threats must cover all of the types of entities that handle sensitive personal information”

“If Americans are to be adequately protected and informed, federal legislation to address these threats must cover all of the types of entities that handle sensitive personal information,” NRF Senior Vice President and General Counsel Mallory Duncan said. “Exemptions for particular industry sectors not only ignore the scope of the problem, but create risks criminals can exploit. Equally important, a single federal law applying to all breached entities would ensure clear, concise and consistent notices to all affected consumers regardless of where they live or where the breach occurs.”

Duncan testified before a hearing of the House Energy and Commerce Committee’s Subcommittee on Commerce, Manufacturing and Trade, which was examining the Data Security and Breach Notification Act of 2015, proposed by Representatives Marsha Blackburn, R-Tenn. and Peter Welch, D-Vt.

Duncan outlined three principles for a federal data breach notification law, saying such a measure must apply to all entities handling sensitive information, including cloud services companies, payment processors, telecommunications firms, and branded payment networks; must reflect a strong consensus of existing state laws; and must preempt state laws in order to establish a truly uniform nationwide standard.

The draft legislation before the subcommittee would require neither third parties, like cloud-based storage services, that handle sensitive data for ‘covered entities,’ nor ‘service providers,’ such as communications firms, from providing public notice of their breaches of security. The bill would, however, place new data security and notice requirements on a broad swath of other industry sectors subject to Federal Trade Commission jurisdiction, such as retailers, restaurants, hotels, grocery stores, convenience stores, gas stations, and other merchants.

“Congress should not allow a federal breach notification law to suffer from ‘notice holes’ – the situation where certain entities are exempt from publicly reporting known breaches of their own systems,” Duncan said. “If we want meaningful incentives to increase security, everyone needs to have skin in the game.”