NRF Says Data Breach Bill Would Lead to ‘Notice Fatigue’

WASHINGTON--()--The National Retail Federation today voiced concern over data breach legislation set for consideration by a Senate committee, saying the bill is too broadly written and would lead to “notice fatigue” among consumers.

“Notifying likely targets of identity theft when (data breaches) occur is a goal NRF supports,” NRF Senior Vice President for Government Relations David French said, calling for uniform national standards that would preempt conflicting state laws and for “proportionate application” of security standards across all industries. “However, the proposed legislation exceeds these concepts by unnecessarily broadening its scope and creating unrealistic triggers for expansive new civil penalties.”

“The legislation has a heavy bias toward notification in virtually every instance regardless of seriousness,” French said. “This will cause millions of individuals to be alerted needlessly, creating ‘notice fatigue’ and undermining the very purpose for which the legislation is being considered.”

French’s comments came in a letter sent today to members of the Senate Judiciary Committee. The panel is scheduled to consider S. 1151, the Personal Data Privacy and Security Act of 2011, sponsored by Chairman Patrick Leahy, D-Vt., Thursday morning.

The bill would require businesses to notify customers when “sensitive personally identifiable information” has been breached, such as in a number of recent data breach cases targeting retailers along with universities, government agencies, financial institutions and other businesses. But French said the bill’s definition of such information “is far reaching and covers common data items, the disclosure of which in most cases is inconsequential or does not lead directly to identity theft.” In one example, the breach of a customer’s name, address and date of birth would be deemed sensitive even though that combination of items alone “provides very little risk of leading to identity theft.”

The bill would also allow the definition of sensitive information and scope of the bill to be expanded by federal agencies under their authority to establish regulations. French argued that the ability to do so should require congressional action and should “not be abdicated to unelected officials.”

The bill’s provision for large fines for violations of its requirements “further penalizes reputable businesses who themselves have been the victim of a cybercrime regardless of whether they used their best efforts to maintain the security of company data,” French wrote.

As the world’s largest retail trade association and the voice of retail worldwide, NRF’s global membership includes retailers of all sizes, formats and channels of distribution as well as chain restaurants and industry partners from the United States and more than 45 countries abroad. In the United States, NRF represents an industry that includes more than 3.6 million establishments and which directly and indirectly accounts for 42 million jobs – one in four U.S. jobs. The total U.S. GDP impact of retail is $2.5 trillion annually, and retail is a daily barometer of the health of the nation’s economy. www.nrf.com.

Read Letter

Contacts

National Retail Federation
J. Craig Shearman, 202-626-8134
shearmanc@nrf.com

Contacts

National Retail Federation
J. Craig Shearman, 202-626-8134
shearmanc@nrf.com