News

NRF calls for federal law governing data breach response

September 15, 2017

Citing the recent breach at Equifax, the National Retail Federation and other industry associations have sent a letter to Congress insisting that any legislation concerned with data breach notification should apply to all industries that handle consumer data.

"To protect customers and ensure effective public policy, Congress should ensure that any federal breach notification law applies to all affected sectors and leaves no holes in our system for some industries that criminals can exploit," said a letter signed by NRF, the NRF National Council of Chain Restaurants, and associations representing c-stores, truck stops, gas stations, grocers, real estate agents, franchises and the travel industry.

The letter asked for:

• A uniform national law to replace existing state laws.
• "Reasonable" data security standards.
• Federal Trade Commission enforcement.
• A requirement that all breached entities be obligated to notify consumers when they suffer a breach of sensitive information that creates a risk of identity theft or financial harm.

NRF has argued that a new federal law should cover banks, card processors, telecommunications companies and all other entities that handle sensitive consumer data.

By contrast, the NRF said, banks and other industries have pushed for breach notification legislation that would subject retailers to stringent bank-style security rules while banks themselves would be subject only to discretionary guidance.