Cory Bennett reports:
Retailers on Tuesday doubled down on their opposition to a data breach notification bill favored by financial firms.
The Retail Industry Leaders Association (RILA), one of the sector’s largest trade groups, argued in a letter to House leadership that the measure would be unfair to large swaths of the economy.
The bill, from Reps. Randy Neugebauer (R-Texas) and John Carney (D-Del.), would require companies to notify customers following a breach and set nationwide data security standards modeled after those governing the financial sector.
Read more on The Hill.
The bill in question is The Data Security Act of 2015 (H.R. 2205). It currently has 39 co-sponsors and would pre-empt state data breach notification laws.
Of note, the bill uses an acquisition trigger for notification, and defines “breach of data security” as the unauthorized acquisition of sensitive financial account information or sensitive personal information. The obligations do not apply if the data are encrypted or otherwise made unusable and they do not apply to any “agency or any other unit of Federal, State, or local government or any subdivision of the unit.” The bill would not seem to apply to health information held by non-HIPAA-covered entities, either.
So with so much wrong with the bill, why is anyone even discussing it? I stopped reading it by Sec. 4. of the text. But then, I’m not a retailed who would be obligated to notify about all the breaches involving credit and debit card numbers.