From Retailers ask Congress for data breach notification law, clarionledger.com
Hardly a week goes by without some major data breach hitting the news. By now, we’ve become accustomed to hearing about these incursions in which hackers gain access to sensitive consumer records. And each time, the number of affected consumers gets bigger and bigger, and often we learn about the event weeks or even months after the damage has been done.
In the case of the Equifax breach last summer, it took several weeks for the news to break that hackers had been raiding the credit-reporting giant’s files, compromising the data of nearly 150 million consumers. Since that breach, business groups and consumer watchdogs have been turning up the heat on Congress to do something about the time it takes to notify those affected by breaches.
The financial and retail industries have long sparred over proposed laws regulating when and how a company should notify the government and the public about when a data breach has occurred. At the heart of the matter is a growing need — recognized by both industry groups and both parties in Congress — that better federal laws are needed to replace a varied patchwork of different state laws governing breaches across the nation.
On Valentine’s Day, 11 major retail groups petitioned Congress to pass uniform national legislation that “leaves no holes” and makes all types of businesses responsible for notifying consumers in a timely manner.
In a letter sent to the Financial Services Committee, the National Retail Federation and other trade associations representing “convenience stores, restaurants, truck stops, gasoline stations, grocers, real estate agents, franchises, hotels and the travel industry” said they support a uniform federal law governing what business must do when credit card or other data is breached, but said it should apply to all businesses that handle sensitive consumer data. The NRF announced the action in a news release.
NRF was part of a group comprising the retail sector that was protesting a repeat of failed legislation in 2015 that would have made notification “mandatory for retailers but voluntary for financial institutions.” The group argued that the financial sector, including banks, credit-card companies and others comprised nearly a quarter of all data breaches, while the retail sector accounted for less than 5 percent.
“Every industry sector — whether consumer-facing or business-to-business — suffers data security breaches that may put consumer data at risk,” the letter said. “To protect consumers comprehensively wherever breaches occur, Congress should ensure that any federal breach notification law applies to all affected industry sectors and leave no holes.”
In early January, a broad coalition representing the financial services industry urged Congress to pass “flexible, scalable standards” for data protection that is “tailored to the size and complexity of the organization as well as the sensitivity of the data the organization holds.”
While large-scale breaches happen to retailers, financial-services companies find themselves increasingly targeted by thieves who are often funded and equipped by organized crime. An October report by Thales Security noted that 42 percent of financial institutions had experienced at least one breach in the past, with many reporting multiple events. For its part, the financial industry has been aggressively working to target fraud attempts. In January, the American Bankers Association announced that banks had stopped $17 billion worth of fraud attempts during 2016.
The sheer size and scale of the Equifax breach is likely to lead to changes in when and how companies of all types must notify the public when a breach occurs, and the pressure is now on Congress to act. But ultimately, what’s at stake is the sensitive information from millions of customers. The protection of that information should be the highest priority for all concerned.