News Feature | April 6, 2015

NRF Backs Legislation To Create National Data Breach Standards

Christine Kern

By Christine Kern, contributing writer


During testimony before the House Oversight and Government Reform Committee’s Subcommittee on Information Technology, National Retail Federation (NRF) senior VP for government relations David French offered solutions to better protect consumers and help businesses prevent cyberattacks and data breaches.

The NRF first proposed its recommendations in an open letter to President Obama last month.

“We should not be satisfied with simply determining what to do after a data breach occurs,” French said. “Instead, it is important to look at why such breaches occur and what the perpetrators get out of them so that we can find ways to reduce and prevent not only the breaches themselves but the follow-on harm.”

In his testimony, French outlined six proposed solutions:

  • expanding consumer liability protection for debit cards use
  • issuing Chip-and PIN cards that incorporate both computer microchips and use of a personal identification number (PIN) to authenticate a transaction
  • adopting end-to-end data encryption throughout the payments system
  • developing open source, competitive tokenization standards to replace sensitive data with unique and unusable tokens
  • passing of a uniform, nationwide breach notification law applying to all entities that handle sensitive customer information
  • bolstering federal law enforcement investigation and prosecution of cybercriminals

One piece of the NRF’s proposed solution has taken a step forward, as the Data Security and Breach Notification Act is on its way to the House Energy and Commerce Committee for consideration on April 15, after being approved by voice vote by the subcommittee.

The measure would require companies to maintain “reasonable” security practices, and inform all potentially affected customers within 30 days of a breach.  Violation of the bill would subject companies to enforcement and censure by the Federal Trade Commission (FTC).

“We are one step closer to enactment of an effective and uniform national standard for data breach notification,” French said. “In that vein, we are particularly pleased that the subcommittee approved the amendment offered by Rep. Pompeo, and supported by Rep. Peter Welch, D-Vt., which will close third-party notice holes. Thanks to the Pompeo Amendment, consumers will receive more effective notification about breaches and, most importantly, businesses will be incentivized to enhance their data security practices.

“As we highlighted in our testimony before the Subcommittee [March 25], the retail industry supports a strong and effective data breach notification law that would enhance consumer protections and provide a uniform data breach notification standard for all businesses and firms handling sensitive customer data with equal or equivalent requirements and obligations.”

“Without the cooperation of our partners in the financial system, we cannot alone affect the changes necessary to better defend and protect against cyberattacks that lead to payment card fraud,” French said. “We need to work together to do what we can to improve an aging and outdated payment system that is the principal target of cyberattacks affecting U.S. retail businesses and their customers.”

The NRF has been collaborating with government officials, law enforcement agencies, and other stakeholders to find appropriate and timely solutions to data and payment security to shore-up the retail industry’s defenses against cybercrime.