News Feature | April 1, 2015

NRF Says Gramm-Leach-Bliley Data Security Regulations Are A Poor Fit For Your Merchant IT Clients

Christine Kern

By Christine Kerncontributing writer

Gram-Leach-Bliley poor fit for merchants

The Gramm-Leach-Bliley Act (GLBA) has governed data security in the banking industry for more than 15 years. Now, citing a new white paper by two former Federal Trade Commission (FTC) officials that asserts imposing data security rules designed for the banking industry on retailers, merchants, and other nonbank businesses would be a “poor fit,” the NRF has publicly urged the Senate to reject it.

Authored by former FTC Bureau of Consumer Protection officials Joel Winston and Anne Fortney, the white paper was commissioned by the NRF in response to multiple efforts to expand the ability, authority, and responsibility of the FTC to oversee data security for nonbank businesses, ranging from dry cleaners to taxi drivers, according to a press release.

In the letter, dated March 16 and addressed to Senators John Thune, Bill Nelson, Jerry Moran, and Richard Blumenthal, all members of the Senate Commerce, Science and Transportation Committee, NRF senior VP for government relations David French writes, “Broad expansion of data security standards similar to the Gramm-Leach-Bliley Act guidelines to virtually every unregulated business in the U.S. economy would be a serious error. “We support a standard, but it must be a general standard appropriate for the broad array of businesses it would cover.”

The federation cites three key reasons for its opposition:

  • the FTC’s role as a law enforcement agency rather than an oversight regulator
  • overly burdensome obligations on nonbank businesses that have little or no authority to implement changes to payment cards
  • the FTC’s own objections to expanding GLBA requirements to retailers

In the white paper, Winston and Fortney write, “When it issued consumer information privacy and safeguard rules under the Gramm-Leach-Bliley Act, the FTC considered applying the rules to retailers that accept bank credit or debit cards and declined to do so. We believe that determination remains equally justified today.”

Ultimately, while banks collaborate closely with federal regulators on data security, the paper noted that the FTC only obtains compliance from businesses after initiating a law enforcement investigation and review after the fact of an incident. 

“Safeguards designed for closely supervised banks that issue credit and debit cards are a poor fit for the vast array of entities that accept credit cards and debit cards as payment,” the white paper said. “The FTC lacks supervisory examination authority and lacks the resources to provide the specific guidance and ongoing oversight that would be necessary to effectuate guidelines-type rules covering the huge diversity of nonbank entities.”

Further, many retailers have no authority over payment cards, limiting the actions that merchants can take to ensure data security. 

And while the NRF opposes expansion of GLBA requirements to nonbanks,” it has testified in support of a uniform national data breach law that would apply a reasonableness standard modeled after state law under Section 5 of the FTC Act that would cover all entities,” the press release notes.