WASHINGTON – On Sept. 7, Equifax announced a cybersecurity incident potentially impacting approximately 143 million U.S. consumers. The information accessed primarily includes names, Social Security numbers, birth dates, addresses and, in some instances, driver’s license numbers.

In the wake of the unprecedented data breach, members of Congress are calling for congressional hearings to examine data security and consumer protection. House Energy and Commerce Committee Chairman Greg Walden (R-OR) and Digital Commerce and Consumer Protection Subcommittee Chairman Bob Latta (R-OH) invited Equifax CEO Richard Smith to testify before the committee in October.

After receiving a briefing from Equifax last week on the breach, the committee has been in contact with Equifax to determine the appropriate time for a hearing. “We look forward to hearing directly from Mr. Smith on this unprecedented breach that has raised serious questions about the security of consumers’ personal information,” said Walden and Latta. “We know members on both sides of the aisle appreciate Mr. Smith’s willingness to come before the committee and explain how our constituents might be impacted and what steps are being taken to rectify this situation.”

In addition, House Financial Services Committee Chairman Jeb Hensarling (R-TX) announced that the committee will also hold a hearing on the Equifax data breach. Per The Hill, Hensarling called the breach “a very serious and very troubling situation.”

This week, NACS and a coalition of that includes the American Hotel & Lodging Association, International Franchise Association, National Association of Realtors, National Association of Truck Stop Operators, National Council of Chain Restaurants, National Grocers Association, National Retail Federation,
Society of Independent Gasoline Marketers of America, and the U.S. Travel Association, wrote to members of Congress to outline four principles that are important to ensuring any data security and breach notification legislation that advances in Congress does not overly burden business already victimized by a breach.

The four principles NACS and coalition members support in federal data security and breach notification legislation are: 

1. Establish Uniform Nationwide Law: With 52 inconsistent breach laws currently in 48 states and 4 federal jurisdictions, there is no sound reason to enact federal legislation in this area unless it preempts the existing laws to establish a uniform, nationwide standard so that every business and consumer knows the singular rules of the road. Simply enacting a different, 53rd law would only create more confusion. 
2. Promote Reasonable Data Security Standards: Data security requirements in a federal law applicable to a broad array of U.S. businesses should be based on a standard of reasonableness. A reasonable standard, consistent with federal consumer protection laws applicable to businesses of all types and sizes, would allow the right degree of flexibility while giving businesses the appropriate level of guidance they need to comply. 
3. Maintain Appropriate FTC Enforcement Regime: Federal agencies should not be granted overly-punitive enforcement authority that exceeds current legal frameworks.
4. Ensure All Breached Entities Have Notice Obligations: Businesses in every affected industry sector should have an obligation to notify consumers when they suffer a breach of sensitive personal information that creates a risk of identity theft or financial harm. Informing the public of breaches can help consumers take steps to protect themselves from potential harm.

“We urge you to exercise your leadership to find legislation that can meet these four principles,” wrote the group. “Additionally, any such process needs to include input from all affected industries and from businesses of all sizes. Otherwise, it risks imposing unfair and/or crippling burdens on some sectors but not others, which, unfortunately, has been the case with several past legislative proposals.”