Data Breach

Last Updated: January 23, 2019

The Issue

The threat of cyber theft and data breaches is real and affects every business and all consumers. In response to the proliferation of highly publicized data breaches, such as Equifax, Congress is working on data breach legislation.

Retail Impact

The convenience industry conducts over 160 million transactions each day and sells more than 80% of the U.S. motor fuels with more than half the sales on payment cards. The primary reason data thieves target convenience stores is for the payment card information that moves through the payment system when customers make purchases at stores.

NACS Position

NACS believes any legislation should incorporate the following principles:

  • Ensure all breached entities have notice obligations so that telecommunications companies, banks, card networks, card processors, and others cannot have a breach and push their notification obligations onto retailers;
  • Do not exempt favored industries (like financial services businesses) from data security or data breach responsibilities;
  • Promote reasonable data security standards without dictating detailed requirements that are not appropriate for many businesses;
  • Maintain an appropriate enforcement regime so that the Federal Trade Commission cannot immediately seek penalties without first giving businesses notice of what the law requires;
  • Establish a uniform nationwide law that preempts state laws.

Unfortunately, previous legislation did not meet any of these key principles. Many businesses, such as convenience retailers, would have been responsible for notification requirements even if they did not experience the breach. For example, if a third-party entity such as a payments processor or telecommunications service provider experienced a data breach, some previous legislation would have made the retailer responsible for notifying consumers of the breach and would have made the retailer liable for penalties if it failed to correctly send notices. In addition, many of these bills exempted several key industries from its requirements, including the financial services and telecommunications industries.