Equifax’s data breach has drawn fresh attention to a lack of uniform federal data security standards. A wide variety of associations have called on Congress to establish standard requirements for breach disclosure and data security.
In the wake of the enormous Equifax data breach, which first came to light last week, a variety of associations are calling for stronger federal standards for both data security and breach disclosure.
A coalition of groups representing a wide swath of economic sectors—including retail, travel, real estate, and hospitality—sent a letter to U.S. House and Senate leaders [PDF] urging Congress to pass legislation that would make standards uniform across the country and across industries.
The statement comes as 143 million people are worrying about the exposure of sensitive personal information in a wide-reaching data breach of the credit reporting agency. Equifax’s response has been widely criticized—both because it didn’t immediately disclose the breach and because the information it eventually did provide was confusing (its dedicated website initially didn’t make it clear whether a user’s data had been exposed). The company’s CEO has apologized and promised long-term changes.
It was against this backdrop that industry groups made a call for fundamental changes to data breach laws. Signatories to the letter to Congress included, among others, the National Retail Federation, the National Association of Realtors, the U.S. Travel Association, and the American Hotel & Lodging Association.
“To protect customers and ensure effective public policy, Congress should ensure that any federal breach notification law applies to all affected sectors and leaves no holes in our system for some industries that criminals can exploit,” the letter states [PDF]. According to the letter, 80 percent of data breaches take place in industries other than those represented by the signatories.
The associations called for a uniform federal law to replace the “52 inconsistent breach laws currently in effect.” They added that legislation should “promote reasonable data security standards,” provide for “appropriate” levels of Federal Trade Commission enforcement, and create uniform disclosure rules for all affected industries.
“Creating exemptions for particular industry sectors or allowing breached entities to shift their notification burdens onto other businesses will weaken the effectiveness of the legislation, undermine consumer confidence, ignore the scope of the problem, and create loopholes that criminals can exploit,” the signatories wrote.
In a separate letter to congressional leaders, Dan Berger, CEO of the National Association of Federally-Insured Credit Unions, wrote that the Equifax breach, “and the report that they had known about it for weeks without notifying consumers, is yet another demonstration of the need for a legislative solution.”
Meanwhile, the Credit Union National Association (CUNA) and the American Bankers Association are helping members with messaging in the wake of the breach.
“A number of credit unions have reached out to us about how to communicate to their members about this breach, and we’re looking to get more information from Equifax and others,” CUNA Chief Advocacy Officer Ryan Donovan told Credit Union Journal.