TLDR: Trade groups testified before Congress this month regarding a new cybersecurity bill.
Recently there has been a surge in the number of successful cyber-attacks on U.S. corporations. Unsurprisingly, consumers are growing more concerned about the security of their personal information in the digital world. Many companies are trying to get ahead of this developing problem by banding together in support of stronger cybersecurity measures. For example, the National Retail Federation (NRF) this month testified before the House Oversight and Government Reform Committee’s Subcommittee on Information Technology and recommended a half-dozen specific actions for combating cybercriminals:
- Expanding consumer liability protection for using debit cards;
- Issuance of PIN-and-chip (EMV) cards that incorporate both computer microchips and use of a PIN to authenticate a transaction;
- Adoption of end-to-end data encryption throughout the payments system;
- Developing open source, competitive tokenization standards to replace sensitive data with unique and unusable tokens;
- Passage of a uniform nationwide breach notification law applying to all entities that handle sensitive customer information; and
- Bolstering federal law enforcement investigation and prosecution of cybercriminals.
The NRF testified because lawmakers are seeking input regarding a new legislative proposal, tentatively titled the Data Security and Breach Notification Act of 2015. Some other trade groups that testified weren’t particularly supportive of what this bill aims to accomplish. CSNews continues, “In its testimony, NACS and SIGMA expressed concern about a section of the proposed draft bill, which states third parties and service providers do not need to notify affected consumers or the public when they have a data breach. In fact, in some situations, these parties do not need to notify anyone if a breach occurs, according to the two trade groups. Such stipulations are unfair for convenience stores operators, testified NACS and SIGMA. “The service provider provisions of the draft bill mean that if Comcast, for example, suffers a breach of its data lines, the most it has to do is notify businesses like a mom-and-pop convenience store whose data may have been carried when the breach occurred. Then, mom-and-pop convenience store is on the hook for complying with all the notification provisions of the draft bill and will face large fines if it doesn’t do it right even though Comcast had the data breach. The same is true for third parties — just substitute Visa or Google for Comcast…”