Financial industry trade groups in November sent a letter to Congress calling for legislation to impose tougher data security requirements on retail companies in light of a number of data breaches that occurred in 2014. According to the letter, U.S. financial institutions are already subject to extensive data security regulations under the Gramm-Leach-Bliley Act (GLBA), but retailers are not covered by any such requirements at the federal level.
“While merchants and financial institutions are both the targets of these attacks, a key difference is that financial institutions have developed and maintain robust internal protections to combat criminal attacks and are required by Federal law and regulation to protect this information and notify consumers when a breach occurs that will put them at risk,” the letter stated. “In contrast, retailers are not covered by any Federal laws or regulations that require them to protect the data and notify consumers when it is breached.”
The letter was in response to a retail industry letter sent to Congress a week earlier encouraging the enactment of a federal data security breach notification bill that would preempt an existing patchwork of state laws, but would not carve out financial institutions. The retail groups point to 10 instances where financial institutions have suffered recent data breaches, but contend that financial regulators have not required them to provide the same detailed notice to their customers as is required of other businesses under law.
“Congress should act to standardize reasonable, timely notification of sensitive data breaches whenever and wherever they occur,” the retailers stated. “However, legislation that would demand notice of some sectors, while leaving others largely exempt, will unfairly burden the former and unnecessarily betray the public’s trust.”
Earlier this year, retail and financial groups formed an industry partnership after Target Corp. and Neiman Marcus reported high-profile data security breaches, triggering a flurry of congressional hearings and bills. However, that partnership dissolved over financial industry objections to giving the Federal Trade Commission (FTC) enforcement authority over banks.
The most prominent legislative casualty in this battle between banks and retailers is a proposal (S. 1976) by Sen. Jay Rockefeller (D-WV), chairman of the Senate Commerce, Science and Transportation Committee, to authorize the FTC to enforce new rules requiring retailers and other companies to protect sensitive consumer data. The bill provides a regulatory carve-out for financial institutions that are in compliance with data security rules under GLBA. Consequently, movement on the bill has stalled since it was first introduced in January 2014.