NRF Warns About Identity Theft Legal Changes

As the U.S. Senate is considering national standards for retail data breaches, the National Retail Federation (NRF) issued a statement that some provisions could actually cause consumers to be repeatedly notified for the same incident.

The NRF statement supported the legislative efforts, but tried suggesting some pragmatic problems with the approach the Senate is considering.

"Disparate notification standards create significant compliance burdens for businesses that operate in many different states and may also lead to confusion for consumers," NRF Senior Vice President for Government Relations Steve Pfister said. "The current draft of S. 1178, while effectively dealing with the issue or preemption, contains an unworkable notice trigger which we believe could lead to the ineffective and cumbersome over-notification of consumers who are not at risk of identity theft."

The statement also described as "problematic" some of the bill's notification requirements. "A section requiring that parties with a 'direct relationship' with a consumer make notification of breaches could create confusion for both business and consumers as to who is responsible," Pfister said. "Noting that retailers accept third-party credit, handle private label cards operated by outside financial institutions, and operate third-party lease departments within their stores, determining the best party to provide notice to the consumer may require more consideration than the bill now allows for."