Conexxus Working to Shape Data Breach Legislation

ANNAPOLIS, Md. — 2014 was the year of the data breach. 2015 could be the year of legislation intended to counteract cybersecurity attacks.

While political concern over the high-profile retail data breaches that have occurred recently is a good thing, Congress has only been focusing on information sharing and data breach notification bills, Paige Anderson, director of government relations for NACS, the Association for Convenience & Fuel Retailing, told attendees of this week's 2015 Conexxus Annual Conference.

In a presentation entitled “Technology Legislative & Regulatory Update,” Anderson called the week of April 20 “Cyber Week” on the U.S. House of Representatives floor. The week was highlighted by the passage of the “Protecting Cyber Networks Act,” intended to make it easier for private companies to share cybersecurity threats with each other and the government without fearing lawsuits.

One major problem with this information sharing law is banks are not covered in the legislation, likely due to political reasons, according to Anderson. This is a mistake, she said, as only 11 percent of all breaches involve retailers — the primary target of the legislation — while 34 percent of breaches occur at financial institutions. Hence, NACS fought for changes in the legislation.

“NACS believes all industries should be part of the legislation,” she said. “It needs to be a level playing field.”

On the U.S. Senate floor, information sharing is also a point of interest. There are two competing bills being bandied about, one of which NACS opposes because it's written by the financial services industry. The trade association much prefers a proposed information bill sponsored by Sen. Mark Warner (D-Va.). Although the bill needs some “tinkering,” Anderson stressed this bill is retailer friendly.

“We like it because it states who is responsible for [public] notification [of the breach],” she said. “It also provides for flexibility with law enforcement.”

Data breach legislation has yet to reach the House floor, but Anderson expects the topic to be taken up by Congress in August.

“It’s going to be a busy June and July for us,” she said. 

PROTECTING AGAINST IDENTITY THEFT

On a related topic, Connexxus Executive Director Gray Taylor followed Anderson’s comments by discussing identity theft as it relates to personally identifiable information (PII). Under privacy law, PII is information that can be used on its own or with other information to identify, contact or locate a single person, or to identify an individual in context.

Taylor said PII has a profound effect on convenience store retailers since they can be fined by the U.S. government if it's determined that they in any way are “complicit” in any identify theft that occurs after gathering customer information.

“If you have a loyalty program or a mailing list, you have PII,” he explained. Therefore, Taylor said retailers should take steps to ensure identity theft does not occur.

First, c-store retailers must determine what they are using customer information for. “You need to ask why you are collecting information,” he said. “Because ‘I can’ or because ‘it’s cool’ is not a reason.”

C-store retailers should then take all possible steps to protect the acquired customer information via encryption and tokenization methods.

If customers ask to opt out from a loyalty program or similar program, destroy the data, concluded Taylor. “They should no longer be in the system.” 

The 2015 Conexxus Annual Conference concluded Thursday at the Loews Annapolis Hotel.