WASHINGTON, D.C. — The National Retail Federation (NRF) Wednesday presented six solutions to combat cybersecurity threats during a U.S. Congress hearing.
Politicians are seeking to introduce legislation tentatively titled the Data Security and Breach Notification Act of 2015. The goal of the hearing was to enact a national data breach notification standard that preempts existing state law.
Appearing before the House Oversight and Government Reform Committee's Subcommittee on Information Technology, David French, NRF's senior vice president for government relations, proposed these six solutions to cybersecurity attacks, which have been omnipresent in recent months:
1. Expanding consumer liability protection for using debit cards;
2. Issuance of PIN-and-chip (EMV) cards that incorporate both computer microchips and use of a PIN to authenticate a transaction;
3. Adoption of end-to-end data encryption throughout the payments system;
4. Developing open source, competitive tokenization standards to replace sensitive data with unique and unusable tokens;
5. Passage of a uniform nationwide breach notification law applying to all entities that handle sensitive customer information; and
6. Bolstering federal law enforcement investigation and prosecution of cybercriminals.
“We should not be satisfied with simply determining what to do after a data breach occurs," said French. “Instead, it is important to look at why such breaches occur and what the perpetrators get out of them so that we can find ways to reduce and prevent not only the breaches themselves but the follow-on harm.”
NACS & SIGMA WEIGH IN
NACS, the Association for Convenience & Fuel Retailing, and SIGMA: America's Leading Fuel Marketers have also been quite active on the cybersecurity front. The two trade groups combined to submit written testimony Wednesday for the U.S. Congressional House Energy and Commerce Subcommittee on Commerce, Manufacturing and Trade.
In its testimony, NACS and SIGMA expressed concern about a section of the proposed draft bill, which states third parties and service providers do not need to notify affected consumers or the public when they have a data breach. In fact, in some situations, these parties do not need to notify anyone if a breach occurs, according to the two trade groups.
Such stipulations are unfair for convenience stores operators, testified NACS and SIGMA. "The service provider provisions of the draft bill mean that if Comcast, for example, suffers a breach of its data lines, the most it has to do is notify businesses like a mom-and-pop convenience store whose data may have been carried when the breach occurred. Then, mom-and-pop convenience store is on the hook for complying with all the notification provisions of the draft bill and will face large fines if it doesn’t do it right even though Comcast had the data breach. The same is true for third parties — just substitute Visa or Google for Comcast.
"This is fundamentally unfair," the testimony continued. "Corporate titans should not be able to foist legal responsibility for notifying people of their own data breaches onto businesses that did not have a data breach at all. The same would be true even if the third parties and service providers involved were universally small businesses. The cost and legal peril shifted onto other businesses simply does not make sense and those businesses have little if any ability to influence the data security practices of the third parties and service providers with which they deal."