NATSO Submits Letter to FTC Outlining Data Security Principles

NATSO joined more than 10 retail trade associations in sending a letter to the Federal Trade Commission (FTC) outlining the groups' principles on data security standards and consumer notification requirements in the event of breaches of sensitive data. The letter was in response to the FTC's request for input on the current state of competition and consumer protection law.
More
 

NATSO joined more than 10 retail trade associations in sending a letter to the Federal Trade Commission (FTC) outlining the groups' principles on data security standards and consumer notification requirements in the event of breaches of sensitive data. The letter was in response to the FTC's request for input on the current state of competition and consumer protection law.

Considering the widespread risk of data breaches afflicting all American industries and public institutions, the groups outlined for the FTC four key principles that should govern any federal data security and breach notification policy:
 
1) Establish Uniform Nationwide Law -- With a patchwork of inconsistent breach laws in effect throughout the different states, there is no reason to enact federal legislation in this area unless it preempts the existing laws to establish a uniform, nationwide standard so that every business and consumer knows the singular rules of the road. One federal law applying to all breached entities would ensure clear, concise and consistent notices to all affected consumers regardless of where they live or where the breach occurs.
 
2) Promote Reasonable Data Security Standards -- Data security requirements applicable to a broad array of U.S. businesses should be based on a standard of reasonableness. A reasonable data security standard, consistent with federal consumer protection laws applicable to businesses of all types and sizes, would allow the right degree of flexibility while giving businesses the appropriate level of guidance they need to comply.
 
3) Maintain Appropriate FTC Enforcement Regime -- Federal agencies should not be granted overly-punitive enforcement authority that exceeds current legal frameworks. 
 
4) Ensure All Breached Entities Have Notice Obligations -- Businesses in every affected industry sector should have an obligation to notify consumers when they suffer a breach of sensitive personal information that creates a risk of identity theft or financial harm.  Informing the public of breaches can help consumers take steps to protect themselves from potential harm.  It also creates greater incentives for all businesses handling sensitive personal information to improve their data security practices.  Creating exemptions for particular industry sectors or allowing breached entities to shift their notification burdens onto others -- as some in the financial services sector have proposed -- will weaken the effectiveness of federal policy, undermine consumer confidence, ignore the scope of the problem, and create loopholes that criminals can exploit.

Subscribe to Updates

NATSO provides a breadth of information created to strengthen travel plazas’ ability to meet the needs of the travelling public in an age of disruption. This includes knowledge filled blog posts, articles and publications. If you would like to receive a digest of blog post and articles directly in your inbox, please provide your name, email and the frequency of the updates you want to receive the email digest.