RILA Outlines Elements of Data Breach at Hearing

The Retail Industry Leaders Association (RILA) will testify Tuesday at the House Energy and Commerce Subcommittee on Commerce, Manufacturing and Trade hearing, "What are the Elements of Sound Data Breach Legislation." In his testimony, Brian Dodge, Executive Vice President at RILA, will focus on retailers' priority of supporting a strong preemptive federal data breach law that allows for reasonable and clear notice triggered by potential customer harm. Dodge will lay out existing state data breach notice laws and robust data security regulatory regimes retailers are subject to. RILA will lay out its priorities for the committee to consider as part of data breach legislation, including a carefully calibrated reasonable data security standard. Retailers are working to safeguard consumers from this 21st century enemy, and the industry will ask policymakers to focus on targeted actions that address the real problems.

The full testimony can be read here: http://bit.ly/1Uuiy79.

Excerpts from the testimony:

"Retailers embrace innovative technology to provide American consumers with unparalleled services and products online, through mobile applications, and in stores. While technology presents great opportunity, nation states, criminal organizations, and other bad actors also are using it to attack businesses, institutions, and governments. As we have seen, no organization is immune from attacks and no security system is invulnerable. Retailers understand that defense against cyber-attacks must be an ongoing effort, evolving to address the changing nature of the threat. RILA is committed to working with Congress to give government and retailers the tools necessary to thwart this unprecedented attack on the US economy and bring the fight to cybercriminals around the globe." 

…

"As leaders in the retail community, we are taking new and significant steps to enhance cybersecurity throughout the industry. To that end, last year, RILA formed the Retail Cyber Intelligence Sharing Center (R-CISC) in partnership with America's most recognized retailers. The Center has opened a steady flow of information sharing between retailers, law enforcement and other relevant stakeholders.  These efforts already have helped prevent data breaches, protected millions of American customers and saved millions of dollars."

…

"In addition to the topics this hearing will cover today, one area of security that needs immediate attention is payment card technology. RILA members have long supported the adoption of stronger debit and credit card security protections. The woefully outdated magnetic stripe technology used on cards today is the chief vulnerability in the payments ecosystem. This 1960s era technology allows cyber criminals to create counterfeit cards and commit fraud with ease. Retailers continue to press banks and card networks to provide US consumers with the same Chip and PIN technology that has proven to dramatically reduce fraud when it has been deployed elsewhere around the world."

…

"While the FTC has not promulgateddata securityrules,its robust enforcementactivityhascollectivelycreateda"commonlaw"ofconsent decrees that tend to signal what is expected from businesses regarding the collection, use, and protectionof personalinformation."

… 

"Many state laws require businesses to do some combination of the following: (1) comply with data security rules for personal information; (2) maintain the confidentiality of Social Security numbers; and (3) securely dispose of personal data. In addition to express statutory provisions relating to data security, many states have so-called "Little FTC Acts" that also can be used by state Attorneys General to enforce against what the Attorney General deems to be unreasonable data security practices."

"Finally, retailers voluntarily and by contract follow a variety of security standards, including those maintained by the Payment Card Industry, National Institute of Standards and Technology and the International organization for Standardization."

"RILA u​rges that committee to consider data breach legislation that:

• • Creates a single national notification standard that allows businesses to focus on quickly providing affected individuals with actionable information, rather than ensuring compliance with 47 plus state laws.
  • That establishes a reasonable timetable for notification that considers the practical challenges associated with a large scale notice and the investigative needs of law enforcement.
  • That provides flexibility in the method of notification in the instance that the business does not possess the contact information for all affected individuals.
  • That ensures that notice is required only when there is a reasonable belief that a breach has or will result in identity theft, economic loss, or harm.
  • That ensures that the responsibility to notice is that of the entity breached but provides flexibility for entities to contractually determine the notifying party.
  • That establishes a precise and targeted definition of personal information.
  • That includes a carefully calibrated reasonable data security standard that recognizes existing obligations and encourages companies to adhere to leading security practices. 
  • The final goal of data breach legislation should be to ensure fair, consistent, and equitable enforcement of a data breach law. Enforcement of the law should be consistently applied by the FTC based on cases of actual harm. Similarly, to the extent civil penalty authority is provided, this authority should be capped based on actual harm to consumers. Also, any legislation should deny a private right of action as it would undermine consistent enforcement."

###​

 RILA is the trade association of the world's largest and most innovative retail companies. RILA members include more than 200 retailers, product manufacturers, and service suppliers, which together account for more than $1.5 trillion in annual sales, millions of American jobs and more than 100,000 stores, manufacturing facilities and distribution centers domestically and abroad.