While welcoming a national uniform standard for data breach notification, the nation’s leading lobby of retailers expressed worry over provisions including a credit freeze that are under consideration as part of a new identity theft bill in the Senate.
The Senate Commerce, Science and Transportation Committee voted yesterday on S. 1178, the Identity Theft Protection Act of 2007, sponsored by committee Ranking Member Ted Stevens, R-AL. That bill alarms the National Retail Federation in Washington.
“Disparate notification standards create significant compliance burdens for businesses that operate in many different states and may also lead to confusion for consumers,” Steve Pfister, NRF senior vice president for government relations, said in a letter to committee members, alluding to the 36 state-level notification laws enacted over the past four years. “NRF supports efforts to create a clear and uniform national standard for data breach notification.
“The current draft of S. 1178, while effectively dealing with the issue of preemption, contains an unworkable notice trigger which we believe could lead to the ineffective and cumbersome over-notification of consumers who are not at risk of identity theft,” the letter said. “NRF agrees with the stated position of the Federal Trade Commission that data security legislation should cover incidents that pose a ‘significant risk’ of harm to the consumer.”
NRF found other aspects of the bill’s requirements troublesome, including the notification of credit reporting agencies. A section requiring that parties with a “direct relationship” with a consumer make notification of breaches could create confusion for both business and consumers as to who is responsible, Mr. Pfister said in his letter.
Retailers accept third-party credit, handle private label cards operated by outside financial institutions and operate third-party lease departments within their stores, [and] “determining the best party to provide notice to the consumer may require more consideration than the bill now allows for,” he said.
Moreover, a section of the bill addressing the use of Social Security numbers could interfere with the legitimate use of those numbers in identifying employees for purposes of immigration compliance, wages and benefits, the letter said.
NRF also was concerned over a provision in the bill that would let consumers place a security freeze on their credit files. The association asked senators to allow victim protection provisions enacted under the 2003 Fair and Accurate Transactions Act to be fully implemented before acting.
“Credit file freeze is a complicated issue with many potentially detrimental effects for consumers,” Mr. Pfister’s letter said. “Credit reports are used for many purposes in a retail business, from authorizing credit for emergency purchases such as a new refrigerator or hot water heater to completing routine cell phone contracts.”
