Retailers battle financial sector over data breach legislation

Retailers on Tuesday doubled down on their opposition to a data breach notification bill favored by financial firms.

The Retail Industry Leaders Association (RILA), one of the sector’s largest trade groups, argued in a letter to House leadership that the measure would be unfair to large swaths of the economy.

{mosads}The bill, from Reps. Randy Neugebauer (R-Texas) and John Carney (D-Del.), would require companies to notify customers following a breach and set nationwide data security standards modeled after those governing the financial sector.

“This legislation would not only have a detrimental effect on the retail community but would also negatively impact businesses of all sizes across the country,” the RILA said in the letter.

“It makes no sense to take one industry’s regulations and apply it to a large segment of the economy without understanding the consequences,” it added.

Industry groups and both parties in Congress have long agreed that federal data breach notification standards are badly needed. Companies currently deal with a confusing, costly and time-consuming patchwork of 47 state laws.

But all sides have fought over the particulars of the bill.

Last year, retailers strongly backed a data breach bill from the House Energy and Commerce Committee that almost made it through the lower chamber.

But that measure lost Democratic support at the last minute during a markup vote amid a fight over how strongly the federal bill should preempt state laws. Democrats worry a weak federal standard might supplant robust existing consumer protections. Republicans fear an invasive law could give too much power to zealous federal regulators.

Neugebauer, who chairs the House Financial Services Subcommittee on Financial Institutions and Consumer Credit, came out with his offering after the Energy and Commerce bill stalled.

Retailers immediately opposed the Neugebauer bill, which has a companion measure from Sens. Tom Carper (D-Del.) and Roy Blunt (R-Mo.) in the upper chamber.

Applying banking security rules on non-banking industries would create unnecessary regulations, the RILA argued in its letter. The organization points to one that requires any employee handling credit or debit card information to pass a criminal background check.

“This is one regulation that makes perfect sense for the banking industry where individuals handle loans and mortgages, but it is certainly not necessary for the high school student working part-time as a sales associate at a cash register,” the RILA said.

Despite the consensus that Congress must move on some data breach notification bill, it’s unexpected that lawmakers will act this year.