A representative from the National Retail Federation told Congress on Thursday companies would improve their data security if Congress required them to meet uniform notification standards in the event of a data breach.
"Congress needs to provide incentives for companies to increase their security and nothing motivates like sunlight, requiring that every company have the same public notice obligations will provide this needed light," Mallory Duncan, senior vice president and general counsel of the National Retail Federation, said at a Senate Commerce Subcommittee hearing.
Mallory said requiring all entities that handle sensitive information to expose any data breaches would be a powerful incentive for them to enhance their internal data security. Uniform notice can also help individuals take the necessary steps to protect themselves, he added.
"Congress should not permit notice holes – situations where certain entities are exempt from reporting known breaches of their own systems. If we want to have meaningful incentives to increase security, everyone needs to have skin in the game," he said.
Doug Johnson, senior vice president and senior advisor for risk management policy at the American Bankers Association, said security breaches have not stopped most consumers from using their credit and debit cards.
"No security breach seems to stop the $3 trillion that Americans spend safely and securely each year with their credit and debit cards. And with good reason: Customers can use these cards confidently because their banks protect them from losses by investing in technology to detect and prevent fraud, reissuing cards and absorbing fraud costs," he said in his prepared remarks.
Johnson agreed that a national standard for data security and breach notification is necessary. He said consumers have a right to swift, accurate, and effective notification of such breaches.
"They also have a right to trust that, wherever they transact business electronically, the business is doing everything it can to prevent that breach from occurring in the first place," he said.
"We believe the extensive breach reporting requirements currently in place for banks provide an effective basis for any national reporting requirement for businesses generally," he told the committee.
CUNA, NAFCU, the ABA and other trade associations wrote a letter to the subcommittee in advance of the hearing calling for legislation that holds breached entities accountable for costs of the incident and ensures consumers are notified of breaches.
© 2025 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
