Coalition submits comments to Congress on four principles that should
|Alexandria, VA – January
2018 / Newsmaker Alert / Last
week, the National Association of
Convenience Stores (NACS) submitted comments to the House Energy and
Commerce Committee regarding data security and data breach notification
legislation. The committee is seeking input from stakeholders, and a coalition
including NACS, SIGMA and NATSO, to name a few, have reiterated four primary
principles that should be contained in such legislation. NACS also sent
comments that focus on the premise that the breached entity should be responsible
for notification requirements.
The coalition of trade associations, which collectively represent more than one million businesses that serve American consumers, believes that some policy proposals made during the past Congress fall short of improving current law. The coalitions communicated to Congress that data breach legislation must meet these four basic principles:
1. Establish Uniform Nationwide Law. Any bill needs to preempt the current data breach laws in 48 states and 4 federal jurisdictions. One of the primary purposes of federal data breach legislation should be creating one strong national standard. Simply creating a fifty third data breach law would not be beneficial.
2. Promote Reasonable Data Security Standards. Commercial businesses across the country are diverse in size, scope and operations. Given this, data security cannot be a prescriptive, one-size-fits-all exercise. The best way to provide that flexibility is to base data security requirements on a standard of reasonableness.
3. Maintain Appropriate FTC Enforcement Regime. Enforcement of data breach requirements should not be overly punitive. The FTC’s current legal framework, which requires it to bring an action to stop a business from violating the law prior to imposing fines, has worked well and is consistent with over 100 years of FTC enforcement of section 5 standards prohibiting unfair or deceptive acts or practices. Businesses need to know what the law is before being fined.
4. Ensure All Breached Entities Have Notice Obligations. Each business entity in every affected industry sector should have an obligation to notify consumers when they suffer a breach of sensitive personal information that creates a risk of identity theft or financial harm. Some sectors have tried to argue they should not have notice obligations in a breach law, but the facts show that the financial services, telecommunications, and technology industries that typically seek these special considerations suffer significant numbers of breaches. And, it is important to distinguish between a business entity and its contract partners in a way that ensures only the breached entity is responsible for the data breach—and that responsibility can’t be shifted by the breached business entity onto an unbreached business entity it serves.
Past legislative proposals have allowed some businesses (typically referred to as “third parties” or “service providers”) to have a breach and then make other businesses that did not suffer the breach responsible for providing notice. This is unfair and unworkable.
In addition, past proposals have exempted certain types of businesses from their breach notification requirements in favor of having those businesses subject to current law (such as the Gramm Leach Bliley Act). This is bad policy because the Gramm Leach Bliley Act does not require notification following a data breach—it merely recommends it. The result would be that some potentially harmful breaches would remain secret, harming consumers and remedial efforts.
“Ensuring that legal obligations are appropriate and do not leave any holes that result in breaches remaining secret would be the strongest, market-based incentive for businesses to take action to protect data,” wrote the coalition. “We look forward to working with the Committee to help pass data breach legislation that follows these principles to improv on current law.”
To register as media for a NACS event contact Erin Pressley.