The National Retail Federation and dozens of other related groups cosigned a letter [PDF] to top congressional leaders last week pleading that they consider the passage of a federal law imposing uniform data breach notification rules that are equally applicable to every organization that handles sensitive user information.
The focus of the NRF letter is twofold: emphasizing a need to focus on the underlying causes of incidents as much as their effects while also suggesting that the problem is exacerbated because certain industries are exempt from having to report certain data breach information. Such exemptions apparently do not apply to the retail sector.
“Exemptions for particular industry sectors not only ignore the scope of the problem, but create risks criminals can exploit,” the NRF argues. “Equally important, a single federal law applying to all breached entities would ensure clear, concise and consistent notices to all affected consumers regardless of where they live or where the breach occurs.”
In the more constructive parts of its letter, the NRF notes that criminals are enabled by “the failure of the payment cards themselves to be secured by anything more sophisticated than an easily-forged signature.” This sentiment is a widely held one in the United States, which unlike Europe, has not yet adopted the more secure, chip and PIN method of credit card payment, where data is stored on a computer chip on each card and validated by a PIN known to the card’s user.
However, the majority of the letter focusses on creating a law that requires more fair and fuller data breach reporting enforcement.
NRF argues that it would be “senseless” for any legislation to mandate different data security measures or notification obligations of information in transit or cloud storage than of other entities suffering from a data breach. Any data breach legislation, the NRF believes, should not subject businesses handling the same sensitive customer data to different rules with different penalties.
“Data security intrusions are a threat faced by every sector of our nation. Consumers deserve to know when they are placed at risk, regardless of where the risk arises. The public expects no less. Congress should act to standardize reasonable, timely notification of sensitive data breaches whenever and wherever they occur.However, legislation that would demand notice of some sectors, while leaving others largely exempt, will unfairly burden the former and unnecessarily betray the public’s trust.”
Threatpost reached out the NRF but they did not respond to requests for comment before the time of publication.
It’s been a bad year for data breaches in general but a particularity bad year for retail breaches. Retails giants like Target, Michael’s, Neiman Marcus, SUPERVALU and Albertsons, Kmart, the Home Depot and countless others have suffered massive data breaches over the last year. To be fair though, the investment banking giant JP Morgan suffered perhaps the biggest breach of all, affecting nearly 80 million customers. Not to be left out of the fun, data breaches have affected the government too, with an incident yesterday at the USPS. Other substantial companies with a data breach to their names in 2014 include AT&T, eBay, the seed giant Monsanto and Community Health Systems.