ARLINGTON, Va. — The National Association of Chain Drug Stores participated in a coalition of retail groups calling on Congress to develop legislation for prompt notification of sensitive data breaches.
NACDS said Friday that the coalition has sent a letter to leaders in the Senate and House of Representatives in the wake of a recent spate of news reports about data security incidents. The letter citied several high-profile cases of security breaches that left consumers vulnerable to criminal activity, including at JPMorgan Chase, Apple and the Department of Homeland Security, as well as breaches of payment card systems.
"Data security intrusions are a threat faced by every sector of our nation. Consumers
deserve to know when they are placed at risk, regardless of where the risk arises. The public expects no less," stated the letter, from more than 40 retail organizations. "Congress should act to standardize reasonable, timely notification of sensitive data breaches whenever and wherever they occur."
The coalition noted that organized groups of criminals have focused on U.S. businesses, including financial institutions, retailers and technology, manufacturing, utility and other companies. The organizations cited the 2014 Verizon Data Breach Investigations Report, which tallied 63,437 data security incidents reported by industry, educational institutions and governmental entities last year, of which 1,367 of had confirmed data losses. And of those experiencing data losses, 34% were in the financial industry, 12.8% were public institutions, 10.8% were in the retail sector, and 10% were hotels and restaurants.
"Vigilance against these threats is necessary, but we need to focus on the underlying causes of breaches as much as we do on the effects," the coalition wrote, adding, "If there is anything that the recently reported data breaches have taught us, it is that sny security gaps left unaddressed will quickly be exploited by criminals."
In addition, the letter noted that any legislation to address such cybersecurity threats must cover all types of entities that handle sensitive information, including technology service providers.
"We look forward to working with you to address criminal data thefts in a way that covers everyone who is at risk and that promotes solutions that will protect American consumers now," the coalition stated.
Besides NACDS, members of the coalition signing the letter included the National Retail Federation, Food Marketing Institute, National Grocers Association, National Association of Convenience Stores, National Restaurant Association, Retail Solution Providers Association, American Hotel and Lodging Association, and various other state and trade-specific retail organizations.
In related news on Monday, credit reporting and risk firm Experian said a recent survey from Experian’s ProtectMyID revealed that retail data breaches have raised consumer awareness of identity protection during the holiday shopping season.
More than 70% of the more than 1,000 respondents shopping in stores noted they plan to stay aware of their surroundings when shopping. Consumers also expect retailers to keep their information safe: 79% would like to hear about how retailers plan to protect personal and credit card information before the holiday shopping starts.
Yet the study also showed that consumers could do more to protect their information. For example, of those planning to shop online, nearly 40% still don’t check to see if the site is secure, and in stores only 41% cover the PIN pad at registers when entering that information, leaving them exposed to "shoulder surfers," Experian noted.
"Many of this season’s holiday shoppers received retail data breach notifications during the past few years, and they feel that their identities are at risk more than ever before, whether shopping online or in-store," stated Becky Frost, senior manager of consumer education for Experian’s ProtectMyID. "However, consumers should understand that it’s not just about retailers keeping their information secure. Often, an identity thief only needs a shopper’s momentary lapse in focus to walk away with an unintended ‘holiday gift’ of personal information."
