From NRF’s press release:
The National Retail Federation today voiced concern over data breach legislation set for consideration by a Senate committee, saying the bill is too broadly written and would lead to “notice fatigue” among consumers.
[…]
French’s comments came in a letter sent today to members of the Senate Judiciary Committee. The panel is scheduled to consider S. 1151, the Personal Data Privacy and Security Act of 2011, sponsored by Chairman Patrick Leahy, D-Vt., Thursday morning.
The bill would require businesses to notify customers when “sensitive personally identifiable information” has been breached, such as in a number of recent data breach cases targeting retailers along with universities, government agencies, financial institutions and other businesses. But French said the bill’s definition of such information “is far reaching and covers common data items, the disclosure of which in most cases is inconsequential or does not lead directly to identity theft.” In one example, the breach of a customer’s name, address and date of birth would be deemed sensitive even though that combination of items alone “provides very little risk of leading to identity theft.”
Read the full release and letter.
What is there about “It’s not just about ID theft” that the NRF refuses to acknowledge?