Former FTC Officials Call Gramm-Leach-Bliley Data Security Regulations ‘Poor Fit’ for Nonbank Businesses
NRF Sends New White Paper to Senate Commerce Committee
(Business Wire) The National Retail Federation today called on the Senate to reject legislation that would impose data security rules designed for the banking industry on retailers and other nonbank businesses, citing a new white paper by two former Federal Trade Commission officials who said doing so would be a “poor fit.”
“Broad expansion of data security standards similar to the Gramm-Leach-Bliley Act guidelines to virtually every unregulated business in the U.S. economy would be a serious error,” NRF Senior Vice President for Government Relations David French said in a letter to members of the Senate Commerce, Science and Transportation Committee. “We support a standard, but it must be a general standard appropriate for the broad array of businesses it would cover.”
NRF commissioned the white paper in response to a number of proposals before Congress to expand the ability, authority and responsibility of the FTC to oversee data security for nonbank businesses, ranging from dry cleaners to taxi drivers. The authors, former FTC Bureau of Consumer Protection officials Joel Winston and Anne Fortney, laid out three main arguments against extending GLBA guidelines to non-financial businesses:
- The FTC’s role as a law enforcement agency rather than an oversight regulator
- Overly burdensome obligations on nonbank businesses that have little or no authority to implement changes to payment cards
- The FTC’s own objections to expanding GLBA requirements to retailers
“When it issued consumer information privacy and safeguards rules under the Gramm-Leach-Bliley Act, the FTC considered applying the rules to retailers that accept bank credit or debit cards and declined to do so,” Winston and Fortney wrote. “We believe that determination remains equally justified today.”
While banks work extremely closely with federal regulators on data security, the FTC only obtains compliance from businesses after initiating a law enforcement investigation and review of an event after it happens, the paper noted.
“Safeguards designed for closely supervised banks that issue credit and debit cards are a poor fit for the vast array of entities that accept credit cards and debit cards as payment,” the white paper said. “The FTC lacks supervisory examination authority and lacks the resources to provide the specific guidance and ongoing oversight that would be necessary to effectuate guidelines-type rules covering the huge diversity of nonbank entities.”
Additionally, unlike banks and credit card companies that require merchants to maintain certain data security obligations, retailers lack any authority over the payment cards, the paper said. For example, while many merchants would like to see new credit cards being issued incorporate both a computer microchip and a personal identification number (PIN) to reduce fraud, banks and card issuers plan to issue chip-only cards, and merchants have no power to mandate the extra security that would be provided by a PIN.
Furthermore, many GLBA requirements “simply are not relevant” to nonbank businesses or would impose “unreasonable obligations,” the paper said. “It is unclear what additional benefit to the public would gain by subjecting nonbanks to specific requirements of the guidelines.”
Although NRF opposes expansion of GLBA requirements to nonbanks, it has testified in support of a uniform national data breach law that would apply a reasonableness standard modeled after state law under Section 5 of the FTC Act that would cover all entities.
NRF is the world’s largest retail trade association, representing discount and department stores, home goods and specialty stores, Main Street merchants, grocers, wholesalers, chain restaurants and Internet retailers from the United States and more than 45 countries. Retail is the nation’s largest private sector employer, supporting one in four U.S. jobs – 42 million working Americans. Contributing $2.6 trillion to annual GDP, retail is a daily barometer for the nation’s economy. NRF’s This is Retail campaign highlights the industry’s opportunities for life-long careers, how retailers strengthen communities, and the critical role that retail plays in driving innovation. NRF.com