The major data breaches from retailers Target, Neiman Marcus, Michaels and TJX have rekindled the debate on not only updating credit cards and payment systems, but also legislation on data breach reporting. The goal is to hold retailers to the same standards of reporting that healthcare and financial institutions face. However, there are many obstacles in the way.
To begin, this position has been passed through Congress several times at the hands of intelligence, judiciary, and homeland security officials, but is often shot down. There are two main factors to the failure of these bills. First, all of the bills introduced to date are repetitions of previously failed ones. Second, there are questions regarding whether or not a federal mandate will overrule current state regulations. At the moment all states have current standards in place for this issue, but no two ones are the same. Finding a uniform law to cover all state regulations is proving to be a very difficult task.
This particular issue takes a less than traditional route through congress due to the legal complexity of technologies landscape. This issue gets support from all parties across the board, which is unusual, but it is rejected just the same. You have conservatives and liberals finally taking the same side on this position but still in disagreement overall.
Having a preemptive breach notification law at the federal level will allow these organizations to focus all of their attention and resources to one single regulation. As it stands, retailers who have stores in different states must know what each states law requires of them. Currently 46 states and the District of Columbia have passed their own state laws, this means nationwide retailers have to stay on top of 47 different laws as opposed to 1.
The National Retail Federation has apparently been asking for this bill for over a decade, but the bill can’t make it out of Congress. Part of the issue is some state attorney generals are worried that a federal law would make it more difficult for the individual state to pursue charges on the violators.
Clearly the retailers are asking for a better system, but Congress can’t seem to put something decent enough together to meet everyone’s needs. So, for now, things are looking like they will remain the same, but it sounds like there could be a major change on the horizon.