Like us on FacebookFollow us on Twitter
Back To News/PR Index
National Association of Convenience Stores
NACS Communicates Data Security Concerns
Coalition submits comments to Congress on four principles that should
be included in data security and data breach notification legislation.
Alexandria, VA – January 2018 / Newsmaker Alert / Last week, the National Association of Convenience Stores (NACS) submitted comments to the House Energy and Commerce Committee regarding data security and data breach notification legislation. The committee is seeking input from stakeholders, and a coalition including NACS, SIGMA and NATSO, to name a few, have reiterated four primary principles that should be contained in such legislation. NACS also sent comments that focus on the premise that the breached entity should be responsible for notification requirements.

The coalition of trade associations, which collectively represent more than one million businesses that serve American consumers, believes that some policy proposals made during the past Congress fall short of improving current law. The coalitions communicated to Congress that data breach legislation must meet these four basic principles:

1. Establish Uniform Nationwide Law. Any bill needs to preempt the current data breach laws in 48 states and 4 federal jurisdictions. One of the primary purposes of federal data breach legislation should be creating one strong national standard. Simply creating a fifty third data breach law would not be beneficial.

2. Promote Reasonable Data Security Standards. Commercial businesses across the country are diverse in size, scope and operations. Given this, data security cannot be a prescriptive, one-size-fits-all exercise. The best way to provide that flexibility is to base data security requirements on a standard of reasonableness.

3. Maintain Appropriate FTC Enforcement Regime. Enforcement of data breach requirements should not be overly punitive. The FTC’s current legal framework, which requires it to bring an action to stop a business from violating the law prior to imposing fines, has worked well and is consistent with over 100 years of FTC enforcement of section 5 standards prohibiting unfair or deceptive acts or practices. Businesses need to know what the law is before being fined.

4. Ensure All Breached Entities Have Notice Obligations. Each business entity in every affected industry sector should have an obligation to notify consumers when they suffer a breach of sensitive personal information that creates a risk of identity theft or financial harm. Some sectors have tried to argue they should not have notice obligations in a breach law, but the facts show that the financial services, telecommunications, and technology industries that typically seek these special considerations suffer significant numbers of breaches. And, it is important to distinguish between a business entity and its contract partners in a way that ensures only the breached entity is responsible for the data breach—and that responsibility can’t be shifted by the breached business entity onto an unbreached business entity it serves.

Past legislative proposals have allowed some businesses (typically referred to as “third parties” or “service providers”) to have a breach and then make other businesses that did not suffer the breach responsible for providing notice. This is unfair and unworkable.

In addition, past proposals have exempted certain types of businesses from their breach notification requirements in favor of having those businesses subject to current law (such as the Gramm Leach Bliley Act). This is bad policy because the Gramm Leach Bliley Act does not require notification following a data breach—it merely recommends it. The result would be that some potentially harmful breaches would remain secret, harming consumers and remedial efforts.

“Ensuring that legal obligations are appropriate and do not leave any holes that result in breaches remaining secret would be the strongest, market-based incentive for businesses to take action to protect data,” wrote the coalition. “We look forward to working with the Committee to help pass data breach legislation that follows these principles to improv on current law.”

For more information on NACS efforts to address data security and data breach notification, contact Paige Anderson, NACS director of government relations, at

About NACS
NACS, was founded August 14, 1961 as the National Association of Convenience Stores, advances the role of convenience stores as positive economic, social and philanthropic contributors to the communities they serve. The U.S. convenience store industry, with more than 154,000 stores nationwide selling fuel, food and merchandise, serves 160 million customers daily—half of the U.S. population—and has sales that are 10.8% of total U.S. retail and foodservice sales. NACS has 2,100 retailer and 1,750 supplier members from more than 50 countries.

NACS Contact:
Jeff Lenard
V.P., Strategic Industry Initiatives

To register as media for a NACS event contact Erin Pressley.

Publishing Dates: 01/11/18 – 03/11/18
Back To News/PR Index
Hospitality Newsmaker Alert