The House Financial Services Committee is considering a bill that would increase disclosures to consumers when there is a data breach, but retailers say the draft legislation doesn't go far enough.
The National Retail Federation (NRF) was one of several business groups that signed a letter to the committee and asked it to revise its draft to make sure that the legislation sets "appropriate data security standards" and that no industries handling sensitive data are exempt.
“The legislation being considered by the committee is an important step forward but has significant loopholes that would allow major data breaches to be kept secret from the public,” said NRF Vice President and Senior Policy Counsel Paul Martino. “We want to work with the committee to develop an airtight bill that covers all industries and ensures that all data breaches are subject to notification no matter where they occur.”
Retailers want banks included
In particular, the retailers want the bill to include banks and other financial institutions. Under current law, they say banks are not required to disclose data breaches. The current draft would exempt financial institutions and a somewhat vaguely defined group of “service providers.”
The NRF also expressed concern that the bill in its present form would require the Federal Trade Commission (FTC) to take a “punitive” approach to enforcement where fines could be imposed even before standards are set.
The trade group said it is important to include financial institutions under any mandatory notification requirements. It cites the 2017 Verizon Data Breach Investigations Report in claiming financial institutions account for five times as many breaches as retailers.
Response to Equifax data breach
The measure under consideration, the “Promoting Responsible Oversight of Transaction and Examinations of Credit Technology Act of 2017," was introduced in October in the wake of the disclosure of the massive data breach at Equifax, one of three credit reporting agencies.
The proposal would amend the Federal Financial Institutions Examination Council Act of 1978 to require supervision and examination of large consumer reporting agencies regarding cybersecurity measures.
While the NRF concedes that the proposed legislation would set standards for data security for financial institutions, it says it is silent about what happens when a data breach occurs at a bank. It says the current regulatory banking guidance issued in 2005 leaves it up to the banks to decide whether to disclose a data breach.