Financial trade groups—including CUNA and NAFCU—have expressed support for the legislation, saying that they already have strict rules they must follow when data breaches occur.

However, merchants say that the Financial Services Committee bill exempts financial institutions and the claim that those institutions already have effective rules simply is not true.

"Banks and credit unions are mandated, by our regulators, to notify their customers in the event of a breach," the financial institutions said in a letter to House members.

They say the draft bill recognizes that regulators, including the NCUA, have strict oversight over data breach notification policies and the standards used to safeguard consumer data.

They said they are pleased that the bill does not include financial institutions in a new notification requirement but does set a standard for merchants.

"Essentially, it brings expectations for these other sectors up to a standard very similar to that currently in place for banks and credit unions," they said.

The National Retail Federation and a variety of merchant trade groups contend that statistics show that financial service companies were responsible for more than 24% of the breaches in 2017, according to the Verizon Data Breach Investigations Report.

They said that all industry sectors should be included in new data breach legislation, adding that under the Financial Services bill, Equifax and financial institutions would be exempt.

"The exemption of Equifax and other financial services companies from the requirements of that bill would have created particularly weak public policy given that the same bill provided those companies with preemption from the requirements of state laws," they said.