An article from The Hill yesterday explains why retailers say data security rules would be a poor fit.

The National Retail Federation is asking Congress to throw out any legislation that would force retailers to follow data security rules created for the banking industry.

Lawmakers have proposed expanding the authority of the Federal Trade Commission to oversee data security for nonbank businesses under the Gramm-Leach-Bliley Act, which now requires financial institutions to explain their information-sharing practices to their customers and safeguard sensitive data.

In a report, former FTC Bureau of Consumer Protection officials Joel Winston and Anne Fortney said applying interagency guidelines to nonbanks that only accept credit cards would be a “poor fit.”
“When it issued consumer information privacy and safeguards rules under the Gramm-Leach-Bliley Act, the FTC considered applying the rules to retailers that accept bank credit or debit cards and declined to do so,” their reports said. “We believe that determination remains equally justified today.”

The report goes on to say that expanding the guidelines would be burdensome to nonbanks and the FTC, which is primarily a law enforcement agency.

Retailers lack the authority over payment cards to maintain certain data security obligations, and the FTC lacks the supervisory examination and resources to provide specific guidance and oversight that would be necessary to cover every nonbank business, NRF said in a release.

Instead of expanding the Gramm-Leach-Bliley Act guidelnes, NRF has been pushing Congress to pass a uniform national data breach law.