Congress needs to pass a strong and effective federal data breach notification law, National Retail Federation

NRF Concerned over ‘Notice Holes,’ Wants ‘Everyone to Have Skin in the Game’

WASHINGTON, 2015-3-19 — /EPR Retail News/ — Congress needs to pass a strong and effective federal data breach notification law that applies to all entities that handle sensitive customer data, the National Retail Federation said today before a congressional panel examining draft data security legislation.

“If Americans are to be adequately protected and informed, federal legislation to address these threats must cover all of the types of entities that handle sensitive personal information,” NRF Senior Vice President and General Counsel Mallory Duncan said. “Exemptions for particular industry sectors not only ignore the scope of the problem, but create risks criminals can exploit. Equally important, a single federal law applying to all breached entities would ensure clear, concise and consistent notices to all affected consumers regardless of where they live or where the breach occurs.”

Duncan testified before a hearing of the House Energy and Commerce Committee’s Subcommittee on Commerce, Manufacturing and Trade, which was examining the Data Security and Breach Notification Act of 2015, proposed by Representatives Marsha Blackburn, R-Tenn. and Peter Welch, D-Vt.

Duncan outlined three principles for a federal data breach notification law, saying such a measure must apply to all entities handling sensitive information, including cloud services companies, payment processors, telecommunications firms, and branded payment networks; must reflect a strong consensus of existing state laws; and must preempt state laws in order to establish a truly uniform nationwide standard.

The draft legislation before the subcommittee would require neither third parties, like cloud-based storage services, that handle sensitive data for ‘covered entities,’ nor ‘service providers,’ such as communications firms, from providing public notice of their breaches of security. The bill would, however, place new data security and notice requirements on a broad swath of other industry sectors subject to Federal Trade Commission jurisdiction, such as retailers, restaurants, hotels, grocery stores, convenience stores, gas stations, and other merchants.

“Congress should not allow a federal breach notification law to suffer from ‘notice holes’ – the situation where certain entities are exempt from publicly reporting known breaches of their own systems,” Duncan said. “If we want meaningful incentives to increase security, everyone needs to have skin in the game.”

What retailers want you to know about data security from NRF on SlideShare

NRF is the world’s largest retail trade association, representing discount and department stores, home goods and specialty stores, Main Street merchants, grocers, wholesalers, chain restaurants and Internet retailers from the United States and more than 45 countries. Retail is the nation’s largest private sector employer, supporting one in four U.S. jobs – 42 million working Americans. Contributing $2.6 trillion to annual GDP, retail is a daily barometer for the nation’s economy. NRF’s This is Retail campaign highlights the industry’s opportunities for life-long careers, how retailers strengthen communities, and the critical role that retail plays in driving innovation.


Stephen E. Schatz
(855) NRF-Press