Small businesses may see added security standards to help combat data breaches. Here's why some say that's not good for small biz.
Congress has a solution to data breaches at small businesses: more red tape.
A bipartisan bill, the Data Security Act of 2015, has been proposed in Washington to help combat the growing data security issue for financial institutions, businesses and customers. The bill would apply the same security standards to businesses that financial institutions currently adhere to. In essence, the legislation mandates bank-like regulations on small businesses.
The bill would apply security standards based on the 1999 Gramm-Leach-Bliley Act, which requires financial institutions develop an information security plan to address their protection of consumer account information. Randy Neugebauer and John Carney, the representatives that introduced the Data Security Act last month, think businesses should be held to the same data security standard.
Companies would be required to designate at least one employee to manage safeguards, conduct a risk analysis, create a plan to safeguard the data, and regularly assess and update the plan in light of risks and as technology evolves, according to the National Retail Federation. Notifying consumers about data breaches would also be mandatory.
“This would mean additional costs and complexities for businesses already struggling to cope with a crush of red tape from Washington,” David French of the National Retail Federation wrote on The Hill. “Rather than wasting time with a new scheme to regulate Main Street businesses already too busy just trying to stay afloat, Congress should take concrete steps to make sure the credit card cartel finally does the right thing and makes its cards secure.”
Neugebauer and Carney say these rules are necessary because breaches at businesses have caused community banks and credit unions to spend millions of dollars to reissue cards. On the other hand, banks have harsher security rules because a criminal hack could cause a ripple throughout the entire financial system, French points out. Breaches at small businesses simply don’t pose the same risks.
French says other changes could be made to protect businesses and consumers from data breaches, like fully converting the U.S. to encrypted chip-and-PIN cards.
The legislation has been assigned to the House Financial Services Committee and the House Energy and Commerce Committee. It could see action as soon as this summer.