Cybersecurity

Retailers demand data breach laws

by Cory Bennett 11/06/14 02:41 PM ET

Retailers are calling on Congress to take action to prevent hackers from stealing data, arguing lawmakers should pass legislation that imposes a uniform, federal standard for rules regarding breaches.

The coalition of groups calling for action includes national and state retail associations as well as hotels, grocery stores and petroleum sellers.

{mosads}“Congress should act to standardize reasonable, timely notification of sensitive data breaches whenever and wherever they occur,” the letter said.

Industry groups have argued a patchwork of 47 separate state-based standards has caused significant confusion. Notification standards also vary by industry.

“Given the breadth of these invasions, if Americans are to be adequately protected and informed, any legislation to address these threats must cover all of the types of entities that handle sensitive personal information,” the letter said.

While a number of Democratic lawmakers have advocated data breach legislation, Republicans have not been as assertive.

Rep. Lee Terry (R-Neb.), defeated in Tuesday’s midterm elections, was one of his party’s few prominent voices. He tried unsuccessfully to use his platform as chairman of the House subcommittee on commerce, manufacturing and trade to get a data breach measure introduced.

There is general consensus that federal standards are needed on data breach notifications.

More contentious is the level of data security a bill should require of companies, and how much authority the government would have to enforce those standards.

“Security gaps left unaddressed will quickly be exploited by criminals,” the letter said, citing the continued use of the vulnerable magnetic strip on payment cards.

Fallible magnetic strips were behind the massive data breaches at Target and Home Depot.

By October 2015, banks, credit card companies and retailers have all agreed to switch to more reliable chip-enabled technology, which uses an embedded microchip in payment cards to encrypt each transaction.

Chip-based cards also require a second form of authentication, either a signature or PIN number.

The government has pledged to transition to chip-and-PIN cards, seen as less susceptible to hacks.

— This story was updated at 9:50 a.m.