NACS, SIGMA Weigh In on Congressional Cybersecurity Hearing
WASHINGTON, D.C. — Creating a level playing field, providing flexibility for retailers and avoiding punitive approaches are three key elements that should be part of any federal data breach legislation, according to an eight-page testimony delivered to Congress yesterday by NACS, the Association for Convenience & Fuel Retailing, and The Society of Independent Gasoline Marketers Association of America (SIGMA).
The testimony, submitted during a hearing before the House Energy and Commerce Subcommittee on Commerce, Manufacturing and Trade entitled "What Are the Elements of Sound Data Breach Legislation?," noted that convenience store retailers and gas station operators should be a vital component of any final law.
"In light of the number of fuel and other transactions that our industry engages in, we handle approximately one of every 22 dollars spent in the United States. In fact, our retailers serve about 160 million people per day — around half of the U.S. population. And a majority of those transactions are made using payment cards," NACS and SIGMA said in their testimony.
The testimony advised that any final cybersecurity law should create a level playing field. "Many types of data are transmitted between different businesses on a regular basis, but this is particularly true of payment card data. In fact, merchants, data line providers, processors, acquiring banks, card networks and card issuers transmit data back and forth among one another hundreds of millions of times per day. If data breach legislation focuses on some of these businesses and does not cover others the same way, a couple of problems will result," according to the testimony.
NACS and SIGMA also asked that any legislation provide plenty of flexibility for retailers as data breaches have become more and more complex. In fact, two-thirds of data breaches take months to discover, according to the 2013 Verizon Data Breach Investigations Report.
"Providing public notice of data breaches before the full extent of a breach is known — and therefore before a business can be sure that its system is fully secure — can create increased risk for consumers and [the] business. If data thieves become aware that they have been detected, which notice would make clear, they often try to quickly grab as much additional data as they can as fast as they can," NACS and SIGMA testified. "That is not a risk that legislation needs to create by setting an arbitrary timing requirement for notice."
The testimony also called for federal legislation to avoid punitive approaches leveled against retailers. "If the Defense Department and NSA can be hacked, it demonstrates how difficult the challenge is for private businesses to fully protect themselves. Given the difficulty, overly punitive measures are not appropriate in these situations," the associations stated.
The entire NACS and SIGMA testimony can be viewed here.