Brian Dodge, EVP at Arlington, Va.-based Retail Industry Leaders Association (RILA), expressed retailers' support for a strong pre-emptive federal data breach law that allows for reasonable and clear notice triggered by potential customer harm. Dodge presented his testimony, "What are the Elements of Sound Data Breach Legislation," at the House Energy and Commerce Subcommittee on Commerce, Manufacturing and Trade hearing.
As well as discussing state data breach notice laws already in place and stringent data security regulations to which retailers are subject, Dodge set forth the association's priorities for the committee to consider as part of data breach legislation.
"Retailers understand that defense against cyberattacks must be an ongoing effort, evolving to address the changing nature of the threat," Dodge said in an excerpt from the testimony, which can be read in full online. "RILA is committed to working with Congress to give government and retailers the tools necessary to thwart this unprecedented attack on the U.S. economy and bring the fight to cybercriminals around the globe."
As part of its continuing efforts to combat data breaches, he added, "RILA formed the Retail Cyber Intelligence Sharing Center (R-CISC) in partnership with America's most recognized retailers. The center has opened a steady flow of information sharing between retailers, law enforcement and other relevant stakeholders. These efforts already have helped prevent data breaches, protected millions of American customers and saved millions of dollars."
Dodge went on to flag a particular concern for the retail industry. "[O]ne area of security that needs immediate attention is payment card technology," he noted. "RILA members have long supported the adoption of stronger debit and credit card security protections. The woefully outdated magnetic-stripe technology used on cards today is the chief vulnerability in the payments ecosystem. This 1960s-era technology allows cybercriminals to create counterfeit cards and commit fraud with ease. Retailers continue to press banks and card networks to provide U.S. consumers with the same chip-and-PIN technology that has proven to dramatically reduce fraud when it has been deployed elsewhere around the world."
He then encouraged the committee to consider data breach legislation that would do the following:
- Create a single national notification standard that enables businesses to focus on quickly providing affected individuals with actionable information, rather than ensuring compliance with more than 47 state laws.
- Establish a reasonable timetable for notification that considers the practical challenges related to a large-scale notice and law enforcement's investigative needs
- Provide flexibility in the mode of notification in cases where a business doesn't have contact information for all affected individuals
- Ensure that notice is required only when there's a reasonable belief that a breach has or will lead to identity theft, economic loss or harm
- Ensure that the responsibility to notify is that of the entity breached, but provides flexibility for entities to contractually determine the notifying party
- Establish a precise, targeted definition of 'personal information'
- Include a reasonable data security standard recognizing existing obligations and encouraging companies to adhere to leading security practices
- Ensure fair, consistent and equitable enforcement of the law, based on cases of actual harm, with a cap on civil penalty authority, and a denial of a private right of action, since it would undermine consistent enforcement