Why Retailers Are Pushing for All-Inclusive Data Breach Laws
The National Retail Federation and other organizations are urging Congress to evaluate potential loopholes in upcoming changes to data breach laws. The groups say the new laws should cover all industries that work with consumer data, not just retailers.
This response is largely fueled by last year’s Equifax data breach, which compromised information for 145.5 million consumers. Originally, the breach was said to include Social Security numbers, names, birth dates, credit card numbers, addresses and driver’s license numbers. New reports indicate that credit card expiration dates, driver’s license issuing states, phone numbers and email addresses may also have been included in the breach.
The NRF and its supporters fear the structure of the upcoming laws would make it voluntary for financial institutions to notify consumers of a breach. This is similar to legislation from 2015, which proved to be unsuccessful. The House Financial Services Committee held a meeting today to discuss data breach security and notification regulations. Retailers did not have representation in the meeting, but banks did.
The NRF sent a letter to the Financial Services Committee requesting uniform law throughout the nation and an increase in data security standards. The letter cites Verizon’s 2017 Data Breach Investigations Report, which showed that “well above 80% of all breaches in 2016 occurred outside of the industries represented by the signatories to this letter.” In other words, retailers, hotels and realtors are being held to a higher standard of data breach security notification, even though they represent a minority of data breaches in the country.
With uniform data breach laws, consumers would be notified of a breach regardless of its origin, allowing them to take the necessary steps to protect their identity and present their credit scores.