Retailers Cite Equifax as Need for Uniform Data Breach Law

WASHINGTON–(BUSINESS WIRE)–The National Retail Federation and other industry associations are
telling Congress that any new federal law on data breach notification
should apply to all industries that handle consumer data, citing the
recent breach at the Equifax credit reporting agency.

“The fact is that hackers do not discriminate as to the type of business
they attack,” NRF and the other groups said in a
letter to House and Senate leadership
of both parties. “Every
industry sector – whether consumer-facing or business-to-business –
faces data security threats that may put consumer data at risk.”

“To protect customers and ensure effective public policy, Congress
should ensure that any federal breach notification law applies to all
affected sectors and leaves no holes in our system for some industries
that criminals can exploit,” the letter said.

The letter was signed by NRF, NRF’s National Council of Chain
Restaurants, and associations representing convenience stores, truck
stops, gasoline stations, grocers, real estate agents, franchises and
the travel industry.

Citing the 2017 Verizon
Data Breach Investigations Report
, the letter noted that the
financial services industry accounts for 24.3 percent of all data
breaches while retail represents only 4.8 percent. More than 80 percent
of all breaches take place in industries other than those signing the

The letter asked for a uniform national law to replace existing state
laws, reasonable data security standards, Federal Trade Commission
enforcement, and a requirement that all breached entities be obligated
to notify consumers when they suffer a breach of sensitive information
that creates a risk of identity theft or financial harm.

Equifax announced last week that it had been the victim of a massive
data breach that compromised information ranging from names to Social
Security numbers for as many as 143 million individuals. The breach,
which began in mid-May, was discovered on July 29 but not disclosed for
more than a month.

NRF has long called for a uniform
federal data breach law
to replace separate and often-conflicting
laws in 48 states and the District of Columbia that are confusing for
consumers and create compliance challenges for multi-state retailers.
NRF has argued that the new federal law should cover banks, card
processors, telecommunications companies and all other entities that
handle sensitive consumer data, not just retailers. By contrast, banks
and other industries have pushed for breach notification legislation
that would subject retailers to stringent bank-style security rules
while banks themselves would be subject only to discretionary guidance.

NRF is the world’s largest retail trade association, representing
discount and department stores, home goods and specialty stores, Main
Street merchants, grocers, wholesalers, chain restaurants and Internet
retailers from the United States and more than 45 countries. Retail is
the nation’s largest private sector employer, supporting one in four
U.S. jobs – 42 million working Americans. Contributing $2.6 trillion to
annual GDP, retail is a daily barometer for the nation’s economy.



National Retail Federation
J. Craig Shearman, 855-NRF-PRESS