For more than 15 years, the Gramm-Leach-Bliley Act (GLBA) has governed data security in the banking industry. But should those guidelines, and the Federal Trade Commission’s (FTC) application of them, be expanded to retailers as well? Some lawmakers say yes, but the National Retail Federation (NRF) adamantly says no.
The NRF released a statement on March 16 in response to a number of proposals before Congress looking to expand the FTC’s authority to retailers and other businesses, similar to its current obligations for the financial industry under Gramm-Leach-Bliley. The law requires financial institutions to explain their information-sharing practices to customers and safeguard certain types of data.
However, the NRF says that this expansion would be a “poor fit.” The federation cites three key reasons for its opposition:
- The FTC’s role as a law enforcement agency rather than an oversight regulator;
- Overly burdensome obligations on nonbank businesses that have little or no authority to implement changes to payment cards; and
- The FTC’s own objections to expanding GLBA requirements to retailers.
“When it issued consumer information privacy and safeguards rules under the Gramm-Leach-Bliley Act, the FTC considered applying the rules to retailers that accept bank credit or debit cards and declined to do so,” write Joel Winston and Anne Fortney, both of whom were former FTC Bureau of Consumer Protection officials. “We believe that determination remains equally justified today.”
The writers further argued that the FTC would not be able to effectively cover all retailers, saying, “The FTC lacks supervisory examination authority and lacks the resources to provide the specific guidance and ongoing oversight that would be necessary to effectuate guidelines-type rules covering the huge diversity of nonbank entities.”
Although the NRF is against expanding FTC authority, it is in favor of a national data security law that would replace the current patchwork of 47 state laws.
The NRF isn’t the only non-financial industry body opposing expanded FTC oversight of data security. Notably, Wyndham Worldwide continues to fight the agency’s jurisdiction of privacy matters following the FTC’s 2012 lawsuit against the hotel chain.