Data Security a Focus at the NACS Government Relations Conference

Attendees heard expert insights on this key issue before taking that knowledge to Capitol Hill.

March 05, 2015

WASHINGTON – Data security – specifically where the responsibility resides regarding data breach notifications – is gaining traction in Congress in the wake of major data breaches that occurred at some of the country’s largest retail companies, such as Target and Home Depot. So it was no surprise that the topic of data security was explored in depth at with stakeholders participating in the NACS Government Relations Conference this week.

Doug Kantor, partner at Steptoe & Johnson LLP, told attendees that far too many legislators and regulators think that “this is a retail problem.” In fact, 47 states currently have data breach notification laws on the books that retailers must comply with, including four laws in U.S. territories. The banks, meanwhile, are exempt from 14 state laws concerning data breach notifications, and there is no federal notification requirement – even though the banks act like there is one, he said.

Paige Anderson, NACS government relations director, commented that under the Gramm-Leach-Bliley Act, data breach notifications are not immediately required by the banks, which is why JPMorgan Chase & Co. did not notify the public of a data breach that occurred in June and July 2014 until October of that year. The bank’s data breach is one of the largest in history, compromising personal information of some 83 million cardholder accounts.

The convenience and fuel retailing industry’s strongest ally on swipe fee reform and data security is the National Retail Federation (NRF). Mallory Duncan, senior vice president and general counsel at the NRF, stated that Congress no doubt is faced with a difficult problem to fix. Both NACS and NRF support a data breach notification law that would establish a clear disclosure standard for all businesses – the entire payments system from card companies to telecommunications firms – to inform consumers of breaches whenever and wherever they occur.

Duncan clarified that there should be incentives for companies to increase data security, and that a uniform law would apply to all states across the country, one that “must reflect a strong consensus of the state laws in existence already.

Of course, this is not the first time Congress has approached data security legislation. Anderson said that the current 114th Congress is the fifth Congress that has attempted to move data breach notification legislation. And as new members of Congress take office each year, the industry must re-educate newer members and their staff about the issue.

“Unintended consequences begin to happen when you start to write the legislation,” she said. For example, when considering a timeline for companies to notify the public of a data breach, companies may not know they were breached from six months to a year after it occurred. “It’s hard to notify consumers if you don’t know,” she said, adding that oftentimes the data stolen wasn’t even valuable information.  

When discussing data security with members of Congress, Kantor suggested to attendees that it’s helpful to remind Congress that convenience and fuel retailers are in a difficult spot. The card companies and banks “have given us a product that is flawed and fraud prone,” meaning the card itself and its mag strip technology are vulnerable. “We accept the payment but the card companies have failed to keep up with the technology available around the world,” he said, adding that issuing cards in the United States with chip but not PIN will not be enough to protect consumers. “Explaining the deficiency in this about card companies is important,” he said. “The banks and card companies are choosing profits over protecting consumers.”

The NACS Government Relations Forum wrapped up yesterday with attendees meeting with their elected officials and their staff to talk about the industry’s top issues and concerns and give a voice the $695 billion convenience store industry. In many meetings retailers introduced themselves to recently sworn-in members of Congress, establishing important relationships that will benefit the industry for years to come.

Look for more coverage of this year’s Government Relations Conference in the April issue of NACS Magazine.

Advertisement
Advertisement
Advertisement