Following well-publicized and costly data breaches at big box retailers Target and Neiman Marcus, Congress has begun debating possible legislation aimed at creating uniform federal data security standards. Now, the National Retail Federation—the trade association that represents big box retailers like Target and Neiman Marcus—has joined the debate.
On March 5, 2014, the NRF’s General Counsel issued a statement to the House Financial Services Committee titled “Data Security: Examining Efforts to Protect Americans’ Financial Information.” In the statement, the NRF attempted to deflect blame from retailers for the recent rash of data breaches; proposed the implementation of available technologies to make card transactions more secure; and urged the adoption of a nationwide breach notification law to replace the myriad different state laws with which merchants must currently comply when data breaches occur. (Georgia is one of the states that has its own breach notification law, codified at O.C.G.A. § 10-1-910, et seq.)
First, the NRF pointed its finger squarely at the payment card industry (i.e., the card brands, banks and card processors) for perpetuating the vulnerabilities that lead to data breaches, like those which occurred at Target and Neiman Marcus. As its statement says, “retailers are essentially at the mercy of the dominant credit card companies when it comes to protecting payment card data.” While the payment card industry has adopted prophylactic standards (known as the Payment Card Industry Data Security Standards) ostensibly aimed at securing consumer card data, it has been slow to adopt widely available technology that, NRF argues, would actually reduce the incidence of data theft.
Such technologies include:
• The replacement of magnetic stripes (or “magstripes”) with chip technology;
• The implementation of PIN authorization for all card transactions, both in person and online;
• The implementation of end-to-end encryption of card transaction data; and
• Movement toward a secure mobile payment platform to replace card technology.
The NRF also advocated for the enactment of a single, federal breach notification law to replace the upwards of 47 different state laws currently on the books. As the NRF argued:
For nearly a decade, NRF has supported passage of legislation that would establish one, uniform federal breach notification law that would be modeled on, and preempt, the varying breach notification laws currently in operation in 46 states, the District of Columbia and federal territories. A federal law could ensure that all entities handling the same type of sensitive consumer information, such as payment card data, are subject to the same statutory rules and penalties with respect to notifying consumers of a breach affecting that information. Further, a preemptive federal breach notification law would allow retailers and other businesses that have been victimized by a criminal breach to focus their resources on remedying the breach and notifying consumers rather than hiring outside legal assistance to help guide them through the myriad and sometimes conflicting set of 50 data breach notification standards in the state and federal jurisdictions. Additionally, the use of one set of standardized notice rules would permit the offering to consumers of the same notice and the same rights regardless of where they live.
Critics speculate that the NRF has an agenda here, which is the adoption of a watered-down federal breach notification law to supplant consumer friendly/retailer unfriendly laws which exist in states like California.