Business

Retailers Push for Uniform Data-Breach Notification Law

Forty-seven states have data-breach notification laws on the record, but retailers and merchants groups say those laws are fragmented and confusing. Those associations are making a renewed effort in Congress seeking a national standard.

Forty-seven states have data-breach notification laws on the record, but retailers and merchants groups say those laws are fragmented and confusing. Those associations are making a renewed effort in Congress seeking a national standard.

A coalition of merchant and retail associations at the state and national levels is trying to build momentum on Capitol Hill for the development of a single national standard for how organization notify consumers of a data breach.

As it stands, 47 states, the District of Columbia, and several U.S. territories have enacted legislation that requires private and government organizations to notify individuals of security breaches that involve personal or sensitive information. However, those laws vary in how they define “personal information,” what constitutes a breach, who must comply with the law, and what notice is required (including timing, method, and who must be notified).

In a letter [PDF] to Congress signed by 44 organizations, the coalition asked for a uniform policy that would apply to all businesses, financial institutions, merchants, payment card processors, technology companies, and telecommunications providers, and that would standardize the notification process so that the public would be informed in a timely manner.

“Given the breadth of these invasions, if Americans are to be adequately protected and informed, any legislation to address these threats must cover all of the types of entities that handle sensitive personal information,” the coalition wrote. “Exemptions for particular industry sectors not only ignore the scope of the problem, but create risks criminals can exploit.”

Several proposed data-breach bills have sought to consolidate the various state laws, but all have failed. The Data Security Act of 2014, the latest attempt, has been stuck in the Senate’s Committee on Banking, Housing, and Urban Affairs since January.

In a statement, the National Retail Federation said the holdup is partly due to the debate over what types of businesses and organizations should be required to comply. In support of its argument that compliance should be required of all organizations, the coalition cited the annual Verizon 2014 Data Breach Investigations Report, which showed that retailers accounted for 10.8 percent of data breaches in 2013, compared to 34 percent for the financial services industry.

“Consumers deserve to know when they are placed at risk, regardless of where the risk arises,” the coalition said in the letter. “Congress should act to standardize reasonable, timely notification of sensitive data breaches whenever and wherever they occur.”

Retailers and the financial industry have made some progress cooperating on the issue. In September, following reports that celebrity iCloud accounts had been hacked, the Retail Industry Leaders Association and the Financial Services Roundtable organized a summit to highlight efforts by associations in both spaces to improve security through information-sharing.

(iStock/Thinkstock)

Rob Stott

By Rob Stott

Rob Stott is a contributing editor for Associations Now. MORE

Got an article tip for us? Contact us and let us know!


Comments