NRF to policy-makers: Don't broaden cybersecurity legislation

WASHINGTON — Two bills designed to protect "covered critical infrastructure" against cyber attacks by terrorists and others should remain focused on their key purpose and not be expanded to include data breach legislation or broad new privacy regimes, the National Retail Federation said.

The cybersecurity bills in question are the Cybersecurity Act of 2012, which was introduced last month by Senate Homeland Security and Governmental Affairs Committee chairman Joseph Lieberman, I-Vt., and ranking member Susan Collins, R-Maine; as well as the the Strengthening and Enhancing Cybersecurity by Using Research, Education, Information and Technology Act, or SECURE IT Act, which was introduced by Senate Commerce, Science and Transportation Committee ranking member Kay Bailey Hutchison, R-Texas, and fellow committee member Sen. John McCain, R-Ariz.

NRF said that while the bills are not directed specifically at retailers, if the legislation is broadened, it may "become a vehicle to which lawmakers would try to attach long-pending proposals regarding online security and privacy." This potentially could include data breach measures that could force retailers to unnecessarily spend millions of dollars on data monitoring services for customers if their databases were hacked.

"Cybersecurity legislation includes the laudable goal of increasing information sharing between the government and private sector, but the goals underlying the cybersecurity legislation and provisions in data breach notification legislation are fundamentally contradictory," NRF SVP government relations David French said in a letter. "Juxtaposing these contrasting proposals would place businesses in a precarious position when their systems are attacked by cyber criminals. Thoughtful examination and comparison of these pieces of legislation reveal that they are not properly aligned."