As Congressional committees hold hearings on data privacy legislation, the National Retail Federation calls on them not to unfairly single out the retail sector.
In letters addressed to the House Energy and Commerce Committee, the NRF urged lawmakers to apply uniform standards to everyone who handles confidential consumer information.
That may seem like a no-brainer, but NRF has reason to be concerned. In 2015, the House Financial Services Committee approved a bill that would have put retailers, especially, in the hot seat. The bill never made it into law, but had it done so, it would have forced stores to notify consumers of data breaches, while making the disclosure optional for financial institutions.
The measure would have made some sense, if malicious attacks on retail platforms were the predominate targets for hackers. But the NRF pointed to a 2017 Verizon study that attributed 4.8 percent of data breach incidents to the retail sector, and a whopping 24.3 percent to the financial services industry.
Had the regulation passed, it said, the massive Equifax data breach could have stayed under wraps.
Stores spend millions annually to protect their customers’ information. According to an NRF survey, by the end of 2019, 80 percent of retailers expect to support point-to-point encryption, a measure that protects card data during transmission. “And 89 percent will have adopted tokenization, which protects information stored in databases,” the group wrote.
But malicious attacks on retailers get more attention, “because retail stores are household names consumers know,” the letter continued. “In addition, many state data breach laws require only retailers to notify the public of breaches without requiring banks to do the same. That can lead to the incorrect assumption that retailers are responsible for the bulk of breaches and can leave consumers in the dark about hundreds of non-retail breaches each year that put them at risk of identity theft or financial harm.”
In other words, retail is not only getting a bad rap, but consumers are actually worse off for it. The group can only hope the House Energy and Commerce Committee will remember that during its hearing on Tuesday.
The committee also received another letter, along with the Senate Commerce, Science and Transportation Committee. The latter plans to hold its hearing on Wednesday.
The second message was penned by a dozen associations in all. The authors — which include the NRF, as well as industry groups representing hotels, convenience stores, realtors, grocers, restaurants and others — implored the House and Senate committees to keep an even hand. Failure to do so, the groups warned, could be disastrous or “crippling” to some sectors.
Once again, the letter called for uniformity, or “industry neutrality,” and doubled down on the need for federal consistency nationwide, instead of a frustrating patchwork of state-level rules.
One of the more challenging compliance issues for data security has been varying guidelines across states. Another is that vendors may not have a legal requirement on how securely to safeguard the data, outside of whatever private contract terms stipulate.
This simply doesn’t work, according to the groups. Business-to-business firms should be held as accountable as retailers, banks and other consumer-facing businesses, they said.
Not that any of these measures can solve the problem completely. Just as there’s no such thing as a hack-proof technology solution, there’s no piece of legislation that can totally secure people’s data.
The NRF laid out the fundamental challenge: “Data security is a perpetual game of high-stakes leapfrog where each new level of security devised by legitimate businesses is quickly overcome by criminals, so there is no single answer and no single industry that can provide 100 percent security.”
However, it believes that taking every business that handles sensitive data and holding each accountable can properly motivate them to do more.
And that won’t happen if retailers alone are left holding the bag.