Retailers Propose Achievable Solutions To Address Cybersecurity Threats

By Christine Kern, contributing writer

NRF Backs Legislation To Create National Data Breach Standards

Retailers are understandably concerned about the state of cybersecurity, in light of the rash of major breaches that have costs the industry millions of dollars. Now, they are supporting actions to help guarantee the safety of customer information and reduce the impact of breaches on retailers.

During testimony before the House Oversight and Government Reform Committee’s Subcommittee on Information Technology, NRF Senior Vice President for Government Relations David French offered practical, commonsense and achievable solutions to better protect consumers and help businesses prevent cyberattacks and data breaches.

The NRF first proposed its recommendations in an open letter to President Obama last month.

“We should not be satisfied with simply determining what to do after a data breach occurs,” French said. “Instead, it is important to look at why such breaches occur and what the perpetrators get out of them so that we can find ways to reduce and prevent not only the breaches themselves but the follow-on harm.”

In his testimony, French outlined six proposed solutions.  They included:

• Expanding consumer liability protection for using debit cards;
• Issuance of PIN-and-Chip cards that incorporate both computer microchips and use of a personal identification number (PIN) to authenticate a transaction;
• Adoption of end-to-end data encryption throughout the payments system;
• Developing open source, competitive tokenization standards to replace sensitive data with unique and unusable tokens;
• Passage of a uniform nationwide breach notification law applying to all entities that handle sensitive customer information, and
• Bolstering federal law enforcement investigation and prosecution of cybercriminals.

One piece of the NRF’s proposed solution has taken a step forward, as the Data Security and Breach Notification Act is on its way to the House Energy and Commerce Committee for consideration on April 15, after being approved by voice vote by the subcommittee last week.

The measure would require companies to maintain “reasonable” security practices, and inform all potentially affected customers within 30 days of a breach.  Violation of the bill would subject companies to enforcement and censure by the Federal Trade Commission (FTC).

“We are one step closer to enactment of an effective and uniform national standard for data breach notification,” NRF Senior Vice President for Government Relations David French said. “In that vein, we are particularly pleased that the Subcommittee approved the amendment offered by Rep. Pompeo, and supported by Rep. Peter Welch, D-Vt., which will close third-party notice holes. Thanks to the Pompeo Amendment, consumers will receive more effective notification about breaches and, most importantly, businesses will be incentivized to enhance their data security practices.

“As we highlighted in our testimony before the Subcommittee last week, the retail industry supports a strong and effective data breach notification law that would enhance consumer protections and provide a uniform data breach notification standard for all businesses and firms handling sensitive customer data with equal or equivalent requirements and obligations.”

The NRF has been collaborating diligently with government officials, law enforcement agencies, and other stakeholders to find appropriate and timely solutions to data and payment security to shore-up the retail industry’s defenses against cybercriminals.