Retailers Support National Data Breach Notification Standard

Contention points include federal pre-emption, industry exemptions

By Roy Maurer Feb 13, 2015

The association representing the nation’s retailers supports the idea of a national data breach notification law, such as recently proposed by President Barack Obama, as long as it covers all entities that handle sensitive data and pre-empts conflicting state laws.

National Retail Federation (NRF) Senior Vice President and General Counsel Mallory Duncan told a Senate Commerce subcommittee on data security that any data breach notification legislation should develop a “uniform, nationwide notification standard, based on the strong consensus of state laws, that applies to all businesses that handle sensitive personal information of consumers.”

The Need to Act

A series of major breaches at retailers like Home Depot, Staples and Target, the headline-grabbing 2014 Sony cyberattack and the announcement of the Feb. 4, 2015, attack on Anthem, the second-largest U.S. health insurer, has lit a fire under lawmakers and the White House to bolster the nation’s cybersecurity.

The Obama administration has rolled out a series of cybersecurity proposals, including facilitating cyber threat information-sharing between the government and private sector, and enacting a national data breach notification standard.

President Obama’s Personal Data Notification and Protection Act would require businesses that store sensitive personally identifiable information of more than 10,000 individuals to provide notification of security breaches within 30 days. Businesses would be able to delay notice to affected individuals if they were able to prove that additional time was “reasonably necessary” to assess the scope of the breach or prevent additional disclosures. In addition to providing notice to affected consumers, business entities would be required to provide notice to the government when more than 5,000 individuals were affected.

Sen. Bill Nelson, D-Fla., reportedly will soon introduce data breach notification legislation that closely resembles the president’s proposal. It is expected to require the Federal Trade Commission to issue security standards for companies that hold consumers’ personal and financial information. While the details of the notification requirement and the extent to which the legislation would pre-empt the 47 state data breach notification laws already on the books remains unclear, the 30-day notification requirement has been criticized by some as too strict and inflexible.

Other criticisms of past attempts at enacting a federal data breach law include allowing sector exemptions and the pre-emption of state notification requirements.

Notice Obligations Should Apply to All

The proposals being considered by Congress would place notice requirements on certain entities like retailers while exempting others, such as third-party processors, cloud services companies and other service providers, Duncan said. The NRF believes a federal notification law should cover all entities handling sensitive data, including banks, card processors and telecommunications companies.

“A public notice obligation on all entities handling sensitive data would create significant incentives for every business that operates in our networked economy to invest in reasonable data security to protect the sensitive data in its custody,” he said. “Exemptions for particular industry sectors not only ignore the scope of the problem but create risks criminals can exploit.”

Duncan gave the example of only the retail shop being required to provide notice of a breach if information is stolen during a typical payment card transaction, even though the data is transmitted via communications carriers to a data processor, which in turn processes the data and transmits it to the branded card network, such as Visa or MasterCard, which in turn processes it and transmits it to the card-issuing bank. The data processor, data transmitter and card company would all qualify as third-parties whose only obligation, if breached, would be to notify the retail shop of their breach, and not affected consumers. The retailer then would provide notice on their behalf. And the bank suffering a breach would also be exempt from notifying consumers or the public under most legislative proposals to date, Duncan said.

“If the retailers must bear the burden for every other entity in the networked system that suffers a breach, then 100 percent of the notices would come from entities that suffer only 11 percent of the breaches. This is neither fair nor enlightened public policy,” he said.

Duncan advocated for any proposed federal notification law to restrict “notice holes,” where certain entities are exempt from reporting known breaches of their own systems, specifically referring to financial institutions which are largely left to make their own determinations about when and whether to inform consumers of a data breach, as well as telecommunications providers, cloud data services and payment processors. “With an exemption for service providers like these, there is real risk that the public won’t get information it needs or that other businesses will have to plug the gap and take the attendant cost and blame for someone else’s data breach,” he said.

Doug Johnson, senior vice president of payments and cybersecurity policy for the American Bankers Association, disagreed, emphasizing the importance of recognizing existing federal data breach requirements such as under the Gramm-Leach-Bliley Act, which regulates financial data security.

The act requires banks to implement a “risk-based” response program to address instances of unauthorized access to customer information systems. At a minimum, a response program must:

  • Assess the nature and scope of incidents and identify what customer information systems and customer information may have been accessed or misused.
  • Notify the institution’s primary federal regulator “as soon as possible” about any threats “to sensitive customer information.”
  • Notify appropriate law enforcement authorities in situations involving federal criminal violations.
  • Notify customers “as soon as possible” if it is determined that misuse of customer information has occurred or is “reasonably possible.”

“It is critical that we build upon but not duplicate or undermine what is already in place for the financial services sector,” said Johnson. “We believe the extensive breach reporting requirements currently in place for banks provide an effective basis for any national data breach reporting requirement for businesses generally,” he added.

Yael Weinman, vice president of global privacy policy and general counsel for the Information Technology Industry Council, told the committee “that to a certain extent, the sector-approach has worked with regards to financial and health data.”

National Uniform Standard

The NRF supports a federal data breach notification law “based on a strong consensus of existing state laws,” but pre-empting those state laws. “A single, uniform national standard for notification of consumers affected by a breach of sensitive data would provide simplicity, clarity and certainty to both businesses and consumers alike,” said Duncan.

The 47 states and additional federal jurisdictions (including the District of Columbia and Puerto Rico) with data breach notification laws include varying definitions of covered entities and covered data, notification triggers, timeliness of notification, provisions specifying the manner and method of notification, and enforcement. Some of the laws cover distinctly different types of data sets, some require that particular state officials be notified, and a few have time constraints, although the vast majority of state laws only require notice without unreasonable delay.

The three states without notification statutes are Alabama, New Mexico and South Dakota.

“A single federal law would permit companies victimized by a criminal hacking to devote greater attention in responding to such an attack to securing their networks, determining the scope of affected data, and identifying the customers to be notified, rather than diverting limited time and resources to a legal team attempting to reconcile a patchwork of conflicting disclosure standards,” Duncan said.

Illinois Attorney General Lisa Madigan voiced her opposition to this approach, which she said would weaken states’ ability to respond to cyber threats. “We already have data breach notification in this country,” she said. Many states are working to pass their second or third updates to these laws, Madigan added. “As a state official, I oppose any federal legislation that limits our ability at the state level to protect our residents. Simply passing a law that replicates state laws will do very little to protect consumers that is not already being done,” she said.

Madigan and Sen. Richard Blumenthal, D-Conn., himself a former state attorney general, expressed that if Congress does pre-empt the states, the pre-emption should be narrow, allowing the states to enforce the law. Madigan pointed to the Gramm-Leach-Bliley Act as an example of narrow pre-emption, as it only pre-empts those state laws that are inconsistent with federal law and “then only to the extent of the inconsistency.”

Weinman argued that a federal data breach notification requirement without federal pre-emption would just add a 52nd law to the overall patchwork. “Federal pre-emption ensures that consumers will receive consistent notifications, and thus they will be more easily understood,” she said.

Weinman also told the committee that any new federal data breach legislation should carefully define sensitive personally identifiable information to prevent over-notification as a result of an overly broad definition. “Consumers will be best served if they are notified not about every data breach, but about those that can cause real financial harm so that they can take precautionary actions only when they are in fact necessary,” she said.

In addition, she recommended implementing a “realistic, flexible and workable time frame for consumer notification” instead of an arbitrary time frame such as the president’s 30-day proposal.

“Mandating that companies notify consumers of a data breach within a prescribed time frame is counterproductive. Companies must be afforded sufficient time to remedy vulnerabilities, determine the scope and extent of any data breach, and cooperate with law enforcement,” she said.

Finally, Weinman urged avoiding the inclusion of a private right of action for violations of a data breach notification. “The best way to protect consumers is not to empower the plaintiff’s bar to pursue actions that are ultimately only tangential to consumer injury. Appropriate government enforcement for violations of data breach notification legislation is the proper remedy.”

Roy Maurer is an online editor/manager for SHRM.

Follow him @SHRMRoy​​


Job Finder

Find an HR Job Near You
Post a Job


Find the Right Vendor for Your HR Needs

SHRM’s HR Vendor Directory contains over 10,000 companies

Search & Connect