In a letter sent to members of the House Financial Services Committee today the Retail Industry Leaders Association (RILA), along with thirteen other industry trade groups, expressed strong opposition to H.R. 2205, the Data Security Act of 2015.
“While retailers strongly support efforts to safeguard financial data and protect consumers from hackers and cyber thieves, this legislation is a step in the wrong direction,” said RILA Executive Vice President for Government Affairs Jennifer Safavian.
One provision of the bill would require anyone that touches sensitive account information, defined as a credit or debit card, to first pass a criminal background check. This would subject tens of millions of frontline employees, such as retail employees working at cash registers, waiters and waitresses at restaurants, and even taxi cab drivers, to pass criminal background checks.
“Haphazardly slapping rules that were written 15 years ago for the financial industry on retailers, restaurants and thousands of small businesses is not the kind of data security legislation that will safeguard our economy. This is red tape masquerading as security.”
Additionally, Safavian also warned lawmakers that codifying security standards in statute would be a mistake.
“Addressing modern cybercrime will not always necessitate building bigger and thicker permanent walls; it often will require retailers and other industries to be nimble and creative in order to tackle evolving threats,” said Safavian. “Permanently codifying new standards will hinder efforts by retailers and other industries to adapt to an evolving threat landscape.”
“Applying static rules written more than a decade ago to regulate and safeguard complex financial products like mortgages and insurance policies makes no sense for retailers and other industries,” added Safavian. “We urge members of the House Financial Services Committee to reject this backward attempt at protecting American consumers and go back to the drawing board on legislation that will truly help all industries thwart the growing threat of cyber-attacks.”
Full letter text below.
RILA is the trade association of the world's largest and most innovative retail companies. RILA members include more than 200 retailers, product manufacturers, and service suppliers, which together account for more than $1.5 trillion in annual sales, millions of American jobs and more than 100,000 stores, manufacturing facilities and distribution centers domestically and abroad.
December 7, 2015
The Honorable Jeb Hensarling The Honorable Maxine Waters
Chairman Ranking Member
Committee on Financial Services Committee on Financial Services
U.S. House of Representatives U.S. House of Representatives
Washington, DC 20515 Washington, DC 20515
Dear Chairman Hensarling and Ranking Member Waters:
On behalf of the undersigned organizations, we write to express our strong opposition to H.R. 2205, the Data Security of Act of 2015. While our groups take the issue of data security very seriously and are committed to working with Congress to develop a strong federal bill, H.R. 2205 regulates every entity under the Federal Trade Commission’s (FTC) jurisdiction by applying the Gramm-Leach-Bliley Safeguards Rule to non-banking industries. It makes no sense to take one industry’s regulations and apply it to a huge segment of the economy without consideration for how retail, grocery, convenience store, restaurant or small businesses operate.
Section 4 of H.R. 2205 takes the Safeguards Rule, which was written over 15 years ago for the financial services industry for complex products like home mortgages, auto loans and insurance products, and applies it to FTC-regulated industries without any consideration to whether these standards make sense for others. For example, one provision would require anyone that touches sensitive account information, defined as a credit or debit card, to first pass a criminal background check. This would subject tens of millions of frontline employees, such as retail employees working at cash registers, waiters and waitresses at restaurants, and even taxi cab drivers, to criminal background checks.
While there are major problems with applying one industries regulations to all, we believe the approach itself of codifying security standards is misguided. We think it would be a mistake for Congress to codify security standards into statute that would almost immediately be obsolete and static. The Safeguards Rule was written as a regulation, and not as statute, with the financial services sector in mind and it can evolve and change over time as security threats and best practices change. H.R. 2205 takes the opposite approach by codifying the Safeguards Rule, which will hinder efforts by our industries to adapt to an evolving threat landscape and changing technology. Security standards are best left to standards bodies such as the National Institute of Standards and Technology as well as the International Organization for Standardization with the technical expertise and agility to adapt standards to technical capabilities.
Additionally, H.R. 2205 gives the FTC new authority to fine and penalize covered industries for violations of the Safeguards Rule without taking into account differences in regulatory enforcement regime. Under current regulatory enforcement of the Safeguards Rule, prudential regulators engage in continuous monitoring and audits that provides the opportunity for corrective action prior to enforcement for regulated banks. FTC enforcement provides no such opportunity for corrective action exposing companies under FTC jurisdiction to heavy-handed punishment. It is patently unfair to hold different industries to different degrees of punishment for violations of the exact same standard. Finally, H.R. 2205 would open up job creators to increased lawsuits. Although H.R. 2205 provides no private right of action, the bill would create a laundry list standard ripe for class action lawsuits from unscrupulous plaintiffs.
In closing, we are strongly opposed to H.R. 2205 because the bill fails to address business realities. Just as it would be bad policy to apply healthcare standards onto the financial services industry, applying financial services industry standards onto other industries is bad policy. Moreover, we believe the bill is being considered under a flawed process without refinement or input from affected industries, and is instead being unnecessarily rushed through the Committee hastily. For all of these reasons, we urge you and your colleagues to oppose H.R. 2205.
Auto Care Association
Food Marketing Institute
National Association of College Stores
National Association of Convenience Stores
National Automobile Dealers Association
National Grocers Association
National Restaurant Association
National Retail Federation
National Ski Areas Association
NATSO, Representing America’s Travel Plazas and Truckstops
North American Home Furnishings Association
Petroleum Marketers Association of America
Retail Industry Leaders Association
Society of Independent Gasoline Marketers of America
Cc: Members of the Committee