The National Retail Federation is asking Congress to reject any legislation that would impose data security rules designed for the banking industry upon retailers and other nonbank businesses.
“Broad expansion of data security standards similar to the Gramm-Leach-Bliley Act guidelines to virtually every unregulated business in the U.S. economy would be a serious error,” David French, the trade association’s senior vice president for government relations, wrote in a letter to members of the Senate Commerce, Science and Transportation Committee.
NRF also commissioned a white paper, authored by former Federal Trade Commission officials, in response to proposals before Congress that could expand the authority and responsibility of the FTC to oversee data security for nonbank businesses. The arguments against extending GLBA guidelines to non-financial businesses: the FTC’s role is as a law enforcement agency, rather than an oversight regulator; and nonbank businesses that have little or no authority to implement security-minded technology changes to payment cards.
“Safeguards designed for closely supervised banks that issue credit and debit cards are a poor fit for the vast array of entities that accept credit cards and debit cards as payment,” the white paper says. “The FTC lacks supervisory examination authority and lacks the resources to provide the specific guidance and ongoing oversight that would be necessary to effectuate guidelines-type rules covering the huge diversity of nonbank entities.”