Retail trade groups and data security officials took issue March 7 with a bipartisan draft bill in the U.S. House of Representatives that would enact a national data breach security law, saying it did not go far enough to protect consumers and could, in fact, harm them.
Lawmakers have worked for several years to find a compromise on legislation for a national breach security law. Their action stems from a number of significant data breaches, including one recently involving credit reporting agency Equifax Inc., which affected more than 145 million consumers. It took the company more than a month to report the breach. Two separate Yahoo breaches affecting 1.5 billion consumers went unreported by the company for nearly two years, and breaches have also occurred involving Target Corp. and Home Depot Inc. among other companies.
The draft bill, to be introduced by Rep. Blaine Luetkemeyer, R-Mo., and Rep. Carolyn Maloney, D-N.Y., would establish a national data security standard and national data breach notification standard overseen by the Federal Trade Commission to replace the current non-uniform state and federal procedures.
According to the House Financial Services Committee, the potential bill would be flexible, depending on an entity's size and the types of information it maintains, and would also require consumer and law enforcement notifications if a data breach containing personal information occurs.
But several business groups and state officials have voiced concerns about the draft legislation, which can be changed before being introduced.
Sarah Cable, assistant attorney general and director of data privacy and security for the consumer protection division of the Massachusetts Attorney General's office, told lawmakers at a subcommittee hearing that roughly 21,000 breaches have occurred over the past 10 years.
She warned that the "Data Acquisition and Technology Accountability and Security Act" draft legislation would provide more harm than help to consumers.
Cable said the bill would allow entities to push the cost of data security problems onto consumers without providing “any meaningful remedy” and would strip state attorneys general of the current tools they have to combat data breaches and protect consumers.
"As the 'cop on the beat' working the front lines of the data security problem, we believe that this bill, taken as a whole, will leave consumers in a worse position that the status quo," Cable said before the committee's financial institutions and consumer credit subcommittee. "Now is not the time to dilute or pre-empt the tools regularly and successfully used by states. This bill would harm, not help consumers."
A coalition of 10 trade groups — including the National Retail Federation, National Grocers Association and the National Association of Convenience Stores — said in a March 7 letter to the committee that they had "significant concerns" regarding the draft. Specifically, the groups said that financial institutions would be exempt from reporting and notifying breaches.
The coalition said the bill does not ensure that all businesses that have security breaches are obligated to investigate data breaches and provide notice to regulators and consumers. In the letter, the groups said the draft bill also sets "unreasonable and inappropriate data security requirements for millions of commercial businesses" including a mandate for a checklist of requirements for all businesses. They argued that a “one-size-fits-all” set of requirements would be ineffective. Instead, they recommended a “flexible, reasonable” standard that could be applied to differing types of businesses.
In September, the same 10 industry groups sent a letter to congressional leaders calling for the creation of a single law to replace the 52 individual breach laws in effect in 48 states and four federal jurisdictions.
However, the draft legislation had support from Financial Services Roundtable Vice President of Government Affairs for Payments Jason Kratovil, who also testified at the March 7 hearing.
"The approach detailed in the discussion draft strikes the appropriate balance by setting a high bar for data protection, while providing numerous considerations to ensure a small business that processes or maintains little or no personal information is not burdened with the same expectations as a larger entity," Kratovil said.
Luetkemeyer, the subcommittee chairman, admitted that the bill needs work, adding that there is a need for an "immediate national solution" to the issue of data breaches, which he said are guaranteed to continue. His comments came before the formal introduction of a bill, the substance of which could change based on written input and comments made at the hearing.
"It's a work in progress," Luetkemeyer said at the hearing. "It's not perfect. We're going to try and get it better and hopefully it will be something we can implement here down the road."
The NRF said in a separate letter to the committee that banks should be subject to mandatory notification requirements, saying they account for five times as many breaches as retailers.
"The legislation being considered by the committee is an important step forward but has significant loopholes that would allow major data breaches to be kept secret from the public," NRF Vice President and Senior Policy Counsel Paul Martino said in a statement. "We want to work with the committee to develop an airtight bill that covers all industries and ensures that all data breaches are subject to notification no matter where they occur."
