Add retailers to the chorus of voices calling for federal legislation on cyber security and data protection.
In an unusual move, retail groups from across the U.S. sent a letter to Congressional leaders that urged them to pass federal data protection legislation that sets clear rules for businesses serving consumers. The letter, dated November 6, was addressed to the majority and minority party leaders of the U.S. Senate and the House of Representatives and signed by 44 state and national organizations representing retailers, including the National Retail Federation, the National Grocers Association, the National Restaurant Association and the National Association of Chain Drug Stores, among others.
“The recent spate of news stories about data security incidents raises concerns for all American consumers and for the businesses with which they frequently interact,” the letter reads. “A single federal law applying to all breached entities would ensure clear, concise and consistent notices to all affected consumers regardless of where they live or where the breach occurs.”
Pointedly, the signatories warn Congress against creating a law with loopholes or exemptions for specific industries or interest group – such as the telecommunications industry, which represents major Internet service providers. “Better security at the source of the problem is needed. The protection of American’s sensitive financial information is not an issue on which sacrificing comprehensiveness makes any sense at all,” the letter reads. The providers of the connections that data moves across as well as cloud-based service providers should be bound by the same security standards and disclosure mandates as retailers, the groups argue.
Currently, there are 47 different state-based security breach notification laws, as well as laws in the District of Columbia and Guam. Business and consumer groups have been generally aligned on the need for a federal law to create a uniform, national standard and set policy on a problem (online crime) that doesn’t respect state or national borders.
However, political gridlock in Congress since 2010 has allowed small disagreements about the scope of a final law and enforcement to stay the federal government’s hand. Following the breach at Target Stores, which had information on 70 million customers stolen in a cyber attack, credit card issuers and retailers said they would move to implement more secure chip-and-PIN technology by 2015. Absent federal action, the Obama Administration threw its weight behind that effort. President Obama signed an executive order in October requiring the government to require the use of chip and PIN technology for any new or existing government-issued debit and credit cards.
Speaking at an event in Las Vegas hosted by the firm DigiCert, Craig Spiezle, the Executive Director and President of the Online Trust Association (OTA) said that the current patchwork of state laws is harmful to businesses and consumers alike. Current legislation across the states sets wildly different standards for everything from what kinds of data is protected to what constitutes a breach and what affected firms need to do to respond to cyber incidents.
Speaking to The Security Ledger, Spiezle said that there are many places that lawmakers in Congress can look for a model for effective data breach legislation. Laws like CAN SPAM provide a ready template for a federal standard that also leaves enforcement to state attorneys general – one concern about an overarching federal law. OTA has briefed both the FCC and FTC. The group supports a federal law and is urging Congress to act before the end of the lame duck session that runs until the next Congress is sworn in. “We’d like to see it in 90 days,” Spiezle said.
Correction: A previous version of this story misidentified the company sponsoring the event that Mr. Speizle spoke at. The company was DigiCert. – PFR Nov. 12, 2014
