Retailers Emphasize on Four Data Security Principles

Equifax announced, on September 7th, the occurrence of a cybersecurity incident which had potentially affected about 143 million customers in the US. The hackers behind the data breach had accessed customers’ names, social security numbers, birth dates, addresses etc. In some cases, they had even got access to customers’ driving license numbers. Following the data security breach, many members of the Congress came up with demands of congressional hearings for examining data security as well as consumer protection. Richard Smith, the CEO of Equifax has been invited to testify before the House Energy and Commerce Committee, on October 3rd.

An official press release published by the House Energy and Commerce Committee and titled ‘Walden and Latta Invite Equifax CEO to Testify on October 3rd’, states- “Energy and Commerce Committee Chairman Greg Walden (R-OR) and Digital Commerce and Consumer Protection Subcommittee Chairman Bob Latta (R-OH) today formally invited Equifax CEO Richard Smith to testify before #SubDCCP on October 3rd, 2017. After receiving a briefing from Equifax last week on the breach that potentially exposed the personal information of 143 million Americans, the committee has been in contact with Equifax to determine the appropriate time for a hearing.”

The press release also quotes a joint statement from Greg Walden and Bob Latta- “We look forward to hearing directly from Mr. Smith on this unprecedented breach that has raised serious questions about the security of consumers’ personal information…We know members on both sides of the aisle appreciate Mr. Smith’s willingness to come before the committee and explain how our constituents might be impacted and what steps are being taken to rectify this situation.”

The House Financial Services Committee Chairman too proposes to have a hearing with Equifax CEO Richard Smith. A press release brought out by the House Financial Services Committee states- “House Financial Services Committee Chairman Jeb Hensarling (R-TX) said his committee will hold a hearing on the Equifax data breach that has potentially compromised the personal information of roughly 143 million Americans.” (The date for the hearing is yet to be announced).

The release quotes Jeb Hensarling as saying, “This is obviously a very serious and very troubling situation and our committee has already begun preparations for a hearing. Large-scale security breaches are becoming all too common. Every breach leaves consumers exposed and vulnerable to identity theft, fraud and a host of other crimes, and they deserve answers,”

Meanwhile a coalition of different associations (American Hotel & Lodging Association, International Franchise Association, National Association of Convenience Stores, National Association of Realtors, National Association of Truck Stop Operators, National Council of Chain Restaurants, National Grocers Association, National Retail Federation, Society of Independent Gasoline Marketers of America and U.S. Travel Association), representing “over a million businesses in industries that directly serve American consumers”, has written in detail to the members of the US Congress about the need for protecting customers and ensuring effective public policy. The letter says- “To protect customers and ensure effective public policy, Congress should ensure that any federal breach notification law applies to all affected sectors and leaves no holes in our system for some industries that criminals can exploit.” The letter also outlines four key principles that the associations support in federal data security and breach notification legislation. These include…

Establishing uniform nationwide law

The coalition of the different associations feels that rather than having different, inconsistent breach laws, it would be good to have a uniform, nationwide standard. This would help every business and consumer know “the singular rules of the road.”

Promoting reasonable data security standards– It is pointed out that “data security requirements
in a federal law applicable to a broad array of U.S. businesses should be based on a standard of reasonableness.” The prevalence of a reasonable standard that is consistent with federal consumer protection laws applicable to businesses of all types and sizes “…would allow the right degree of flexibility while giving businesses the appropriate level of guidance they need to comply “.

Maintaining appropriate FTC enforcement regime– The associations point out that “…federal agencies should not be granted overly-punitive enforcement authority that exceeds current legal
frameworks.”

Ensuring that breached entities have notice obligations– The coalition of business associations points out that all kinds of businesses should be obliged to notify customers when there is a breach that involves risk of identity theft or financial harm.

The group points out, in the concluding part of the letter, that such principles “…are important to ensure that any data security and breach notification legislation advanced in Congress does not overly burden business already victimized by a breach, does not impose unfair burdens on unbreached entities, and does not pick regulatory winners and losers among differing business sectors in the process. ” The letter also urges the Congress to “…find legislation that can meet these four principles.”