House Financial Services Committee Passes Data Security Bill

NACS opposed the legislation because it would weaken data security while imposing exorbitant liability risks on convenience stores.

December 10, 2015

WASHINGTON – On December 8, the House Financial Services Committee convened to mark up and subsequently pass legislation opposed by NACS: the Data Security Act of 2015 (H.R. 2205). Introduced by Representative Randy Neugebauer (R-TX), the bill would establish a national data security and breach notification standard that would impose enormous costs on most industries in the nation—including the convenience store industry—while allowing other businesses, particularly financial institutions, off the hook.

In recent weeks, NACS has heightened its advocacy efforts to oppose the bill, meeting with committee members and their staffs and sending several opposition letters, including a state association letter with more than 100 state associations (including more than 50 representing the c-store industry); a December 7 letter from national trade associations; and a separate NACS-only letter. NACS voiced its concerns with the bill, mainly the decision to take security standards, which are designed as aspirational targets for the financial services industry, and make them requirements for all other industries across America.

Taking a regulatory regime intended for one industry and applying it to another fails to address business realities, the NACS-only letter points out, and will likely have a variety of unintended consequences. For example, under those standards anyone who touches sensitive account information, defined as a credit or debit card, would be required to first pass a criminal background check. This could subject tens of millions of frontline employees, including a convenience store cashier, to criminal background checks.

During the hours-long markup, various committee members spoke about the merits and shortfalls of the Neugebauer legislation. While members expressed a desire to improve data security standards, many also raised concerns about the regulatory and compliance costs that would be imposed on retailers. Neugebauer agreed to work with committee members to make changes to the bill that address their concerns.

Two amendments were offered during the markup, one by Ranking Member Maxine Waters (D-CA) and the other by Representative Edward Royce (R-CA). The Waters Amendment would strike a provision that would preempt state data security laws. She argued that many states already have data security standards and H.R. 2205 could result in weaker standards throughout the nation. Opponents countered that adoption of the amendment would defeat the purpose of the legislation: to establish a national data security and breach notification standard. The Waters amendment was defeated by a vote of 20 to 36.

Royce offered and then withdrew an amendment strongly opposed by NACS and the retail community, which would require breached businesses to reimburse financial institutions for all costs incurred by such institutions that are attributable to the breach. It would, however, specifically exempt financial institutions from having to pay other businesses for the costs associated with financial institution breaches. NACS emphasized that this would give banks an extra bite at the fraud-cost apple, since “merchants pay for card reissuance several times over and are liable for incremental fraud resulting from a breach.”

Though H.R. 2205 was also referred to the House Energy and Commerce committee, the committee marked up its own data security bill earlier this year that would also establish data security standards and a federal data breach notification requirement. What bill moves forward, if at all—or how these bills merge together—remains uncertain at this time. NACS will continue to actively oppose this legislation and educate lawmakers about its serious flaws.

Advertisement
Advertisement
Advertisement