Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...
By Jeff Bater and Alexei Alexis
Nov. 12 — Financial industry groups Nov. 12 told congressional leaders that robust oversight will help U.S. retailers protect consumers from cyberattacks—an assertion that could fuel tension between the two sectors in the debate over data security.
U.S. financial institutions are already subject to extensive data security regulations under the Gramm-Leach-Bliley Act (GLB Act), but retailers aren't covered by any such requirements at the federal level, according to a letter from the financial industry groups.
“It is only when coupled with the development of strong internal data protection standards and robust oversight that the retail community will find itself in a better position to protect consumers and their confidential personal financial information from criminal abuse,” wrote the American Bankers Association, the Consumer Bankers Association, The Clearing House, the Credit Union National Association, the Financial Services Roundtable, the Independent Community Bankers of America and the National Association of Federal Credit Unions.
The coalition said it was seeking to “set the record straight” after a Nov. 6 letter from retail industry groups to Congress.
Retail groups have encouraged the enactment of a federal data security breach notification bill that would preempt an existing patchwork of state laws. But they have rejected the idea of a carve-out for financial institutions.
“Exemptions for particular industry sectors not only ignore the scope of the problem, but create risks criminals can exploit,” the recent retail industry letter said.
Despite a major data security breach recently reported by JPMorgan Chase & Co. and news that several other banks have suffered similar incidents, regulators haven't required financial institutions to provide “the same detailed notice to their customers as is required of other businesses under law,” according to the retail letter.
The dueling letters are part of an ongoing dispute between the two industries over data security bill issues. Groups from both sides agreed earlier in 2014 to work toward an agreement under the umbrella of a broader cybersecurity partnership. But differences have since emerged that might ultimately lead to a stalemate, industry sources previously told Bloomberg BNA.
The industry partnership was formed after retailers, such as Target Corp. and Neiman Marcus Group Ltd., reported high-profile data security breaches, triggering a flurry of congressional hearings and bills.
Among other pending measures, a proposal (S. 1976) introduced by Sen. Jay Rockefeller (D-W.Va.), chairman of the Senate Commerce, Science and Transportation Committee, would authorize the Federal Trade Commission to enforce new rules requiring retailers and other companies to protect sensitive consumer data, such as credit or bank account information, and to notify individuals in the event of a breach. Violators would face civil penalties.
The commission now relies substantially on Section 5 of the FTC Act, 15 U.S.C. § 45, which prohibits “unfair and deceptive” trade practices, to pursue data security cases.
The Rockefeller bill would provide a regulatory carve-out for financial institutions that are in compliance with data security rules under the GLB Act. The senator's proposal and other bills to give the FTC new data security powers have stalled since they were introduced earlier in 2014. Similar legislation has died in previous congresses.
In a related development, President Barack Obama in October unveiled an executive order to strengthen the security of government credit and debit cards as part of a broader initiative to protect consumers' financial information in light of recent breaches. But he said that Congress still needs to do its part by moving forward on stalled data security legislation.
To contact the editor responsible for this story: Heather Rothman at email@example.com
The financial industry letter is available at http://fsroundtable.org/industries-equal-data-security-standards/.
The retail industry letter is available at https://nrf.com/sites/default/files/Final%20Merchant%20Group%20Letter%20to%20Congressional%20Leaders%20on%20Data%20Breach.pdf.
All Bloomberg BNA treatises are available on standing order, which ensures you will always receive the most current edition of the book or supplement of the title you have ordered from Bloomberg BNA’s book division. As soon as a new supplement or edition is published (usually annually) for a title you’ve previously purchased and requested to be placed on standing order, we’ll ship it to you to review for 30 days without any obligation. During this period, you can either (a) honor the invoice and receive a 5% discount (in addition to any other discounts you may qualify for) off the then-current price of the update, plus shipping and handling or (b) return the book(s), in which case, your invoice will be cancelled upon receipt of the book(s). Call us for a prepaid UPS label for your return. It’s as simple and easy as that. Most importantly, standing orders mean you will never have to worry about the timeliness of the information you’re relying on. And, you may discontinue standing orders at any time by contacting us at 1.800.960.1220 or by sending an email to firstname.lastname@example.org.
Put me on standing order at a 5% discount off list price of all future updates, in addition to any other discounts I may quality for. (Returnable within 30 days.)
Notify me when updates are available (No standing order will be created).
This Bloomberg BNA report is available on standing order, which ensures you will all receive the latest edition. This report is updated annually and we will send you the latest edition once it has been published. By signing up for standing order you will never have to worry about the timeliness of the information you need. And, you may discontinue standing orders at any time by contacting us at 1.800.372.1033, option 5, or by sending us an email to email@example.com.
Put me on standing order
Notify me when new releases are available (no standing order will be created)