WASHINGTON — Retailers generally backed a new proposal from President Obama on Monday that would require companies to notify their customers within 30 days of a cybersecurity attack and data breach.
This story first appeared in the January 13, 2015 issue of WWD. Subscribe Today.
Obama broadly outlined the “Personal Data Notification & Protection Act” at the Federal Trade Commission, as well as proposed legislation to protect consumer privacy and identity theft and the privacy of children using digital forums.
The president’s proposals come amid heightened concern following massive data breaches that have hit several major retailers in the past year, including Target, Neiman Marcus and Home Depot, that compromised the personal data of millions of consumers.
As a result, Obama said, “We are introducing new legislation to create a single, strong national standard so Americans know when their information has been stolen or misused. Right now, almost every state has a different law on this and it’s confusing for consumers and it’s confusing for companies, and it’s costly too, to have to comply to this patchwork of laws.”
Obama said the measure would also strengthen enforcement against criminals who sell personal financial data and identities in the U.S. and overseas.
In the wake of the recent hacking at major retailers, business groups and lawmakers on Capitol Hill have been calling for a federal breach notification standard to replace and preempt the patchwork of state laws that retailers must meet when data security breaches are discovered, and consumer financial and personal data are compromised.
Retailers embraced the concept of Obama’s proposal on Monday, but also called for some flexibility in the 30-day requirement to allow for law enforcement involvement and guidance on notification and internal investigations to shut down the breaches.
“We intend to carefully review the details, but on the surface, a 30-day requirement seems within reason and consistent with current industry practices,” said a spokesman for the Retail Industry Leaders Association. “The one caveat I would offer is that when a breach has been identified, law enforcement is often immediately involved, and in order to facilitate their investigation, they have substantial input on when notification is made. A reference to that would be important.”
Mallory Duncan, senior vice president and general counsel at the National Retail Federation said, “It looks like what the President is doing is very consistent with what we have advocated for a long time and that is gratifying. We are pleased to have the White House support that.”
However, Duncan added, “We don’t know how the President plans to structure the standard. If it is designed in such a way that allows law enforcement to do its job and allows companies to plug the holes [in a data security breach], then it will be fine. If not, then that is something we will have to talk about, but we are fully supportive of what the White House is trying to do.”