In a letter addressed to Congressional leaders of the U.S. Senate and the House of Representatives, dozens of retail groups across the United States demanded the implementation of federal data protection legislation that would establish clear guidelines for businesses in the event of a breach.
Signed by 44 state and national organizations representing retailers, including the National Retail Federation, the National Restaurant Association and the National Association of Chain Drug Stores, the letter urged Congress to “standardize reasonable, timely notification of sensitive data breaches whenever and wherever they occur.”
The letter, which dates back to November 6, reiterates the recent data breach incidents that have shaken the industry – as well as the millions of customers affected, listing the infamous JP Morgan Chase network intrusion, Apple’s iCloud scandal, as well as the breach at a Department of Homeland Security (DHS) contractor.
“Data security intrusions are a threat faced by every sector of our nation,” read the letter. “Consumers deserve to know when they are placed at risk, regardless of where the risk arises. The public expects no less.”
Likewise, the signatories stressed the importance of creating guidelines that are equal across all entities, including service providers, declaring, “…Data breach legislation should not subject businesses handling the same sensitive customer data to different rules with different penalty regimes, as such a regulatory scheme will inevitably lead to inconsistent public notice and enforcement.”
As of now, 47 states, in addition to the District of Columbia, Guam, Puerto Rico and the Virgin Islands, have enacted legislation requiring private or government entities to notify individuals of security breaches.
However, according to the National Conference of State Legislatures, these notification laws commonly include varying provisions regarding who must comply, the definition of “personal information,” what constitutes a breach, exemptions, and requirements for notice.
Yet, not all organizations backed the retailer groups’ propositions. Financial trade groups stood on the other side of the debate, arguing the letter sent to Congress was “inaccurate and misleading” in a response written one week later.
The joint letter, authored by the American Bankers Association (AMA), The Clearing House, the Consumer Bankers Association and the Credit Union National Association, among others, responded with an attempt “to set the record straight,” as the retailers’ recommendations “left consumers vulnerable to enhanced risk of data breaches.”
“While merchants and financial institutions are both the targets of these attacks, a key difference is that financial institutions have developed and maintain robust internal protections to combat criminal attacks,” read the letter.
More so, the financial groups stressed the two industries differ due to the lack of Federal laws and regulations that do not require retailers to protect consumers’ data, and notify consumers when it they are breached.
“…An extensive regulatory oversight, examination and enforcement regime ensures that financial institutions provide robust protections for personal financial information for the American public,” stated the financial groups, arguing a similar internal safeguard regime fails to exist for retailers and others.
Financial services supporters ultimately emphasized that the proposed solution of national consumer notification alone, would not solve the escalating cybersecurity problem seen today.
Ken Westin, security analyst at Tripwire, suggests a better solution may require the two industries to work closer together. “Instead, of pointing fingers, I would rather see the two working together to find ways to better protect customer data,” said Westin.
In this case, Westin adds the financial services group makes valid points regarding the need to comply with federal laws and regulations.
“Retailers have PCI DSS, which is not federally mandated but is established by the payment card industry,” said Westin. “It only provides very basic protections limited to credit card data, not other data, which is increasingly being collected by retailers for marketing purposes, such as email, phone numbers and purchase history.”
The letter further concludes: “It is only when coupled with the development of strong internal data protection standards and robust oversight that the retail community will find itself in a better position to protect consumers and their confidential [information].”