WASHINGTON — Retailers sent a letter to House leaders Tuesday outlining their opposition to a data breach notification bill that they charge would apply banking regulations to the retail industry and have an adverse impact on businesses across the country.
Lawmakers have been considering various data breach bills among heightened concerns following massive data breaches that have hit several major retailers in the past few years, including Target, Neiman Marcus and Home Depot, that compromised the personal data of millions of consumers.
Retailers, which have supported some of the measures, have been strong advocates of a national federal breach-notification standard to replace a patchwork of state laws that retailers must meet when data security breaches are discovered and consumer financial and personal data are compromised.
But the Retail Industry Leaders Association is taking a stand against one particular data breach notification bill in the House. RILA sent letters to House Speaker Paul Ryan (R., Wis.) and Democratic Minority Leader Nancy Pelosi (D., Calif.) and others highlighting what it said are “serious concerns” with the “Data Security Act of 2105.”
While the bill, introduced by Rep. Randy Neugebauer (R., Tex.), contains some of the concepts retailers support, it sets mandates that they strongly oppose.
“This legislation would not only have a detrimental effect on the retail community, but would also negatively impact businesses of all sizes across the country,” said Jennifer Safavian, executive vice president of government affairs at RILA.
Key among them is a provision that would regulate every nonbanking entity currently under the jurisdiction of the Federal Trade Commission by applying a rule used to regulate the banking industry, known as the Gramm-Leach-Bliley Safeguards Rule.
“It makes no sense to take one industry’s regulations and apply it to a large segment of the economy without understanding the consequences,” Safavian said. “For example, certain aspects of these new regulations would require anyone that touches sensitive account information, defined as a credit or debit card, to first pass a criminal background check.”
She said that would subject millions of “frontline” employees who work behind cash registers or stock shelves to “an intrusive background check.”
“This is one regulation that makes perfect sense for the banking industry where individuals handle loans and mortgages, but it is certainly not necessary for the high school student working part-time as a sales associate at a cash register,” she added.
The measure will also codify security standards into statute that “would almost immediately be obsolete and static,” she said.
The Safeguards Rule is currently a regulation and not a statute, applied to the financial services sector and it can be modified over time as security threats or best practices change, according to RILA.
The pending House bill “takes the opposite approach by codifying the Safeguards Rule, which will hinder efforts by retailers to adapt to an evolving threat landscape and changing technology,” she said.
Safavian added that RILA is dedicated to working with lawmakers to pass a federal data breach bill that “creates clear notification principals, institutes a federal preemption standard and implements smart regulations tailored for the retail industry.”