Issues & Advocacy

Issue Brief

Data Security

Keeping payment card data secure is a top concern for restaurateurs.

Data security has emerged as one of the biggest threats to a restaurant’s reputation and bottom line. Congress and regulatory agencies continue to consider public policies to stem the tide of computer hacking and data breaches.

The National Restaurant Association supports efforts to set one national data security standard and establish one national process for notifying customers about a data breach. Restaurants and other businesses face a patchwork of 48 different state laws on data breach notification requirements and 12 different state laws on data security standards. A federal data security standard should promote reasonable data security in line with the size and complexity of a business.  

In the 114th Congress, we supported H.R. 1770, the Data Security and Breach Notification Act of 2015, passed by the House Energy & Commerce Committee. We also supported the approach Sen. Mark Warner (D-Va.) continues to pursue in his draft Data Breach Notification Act.

Our industry will continue to oppose legislation like the Data Security Act of 2015 (H.R. 2205/S.967 (115th Congress) or any similar bills. Such legislation would mandate new, costly and heavy-handed government requirements dictating exactly how businesses should implement data security. Among other requirements, these bills would require businesses to hire a full-time IT manager (likely costing about $125,000 a year) and perform background checks on all employees. The costly and burdensome rules would come on top of the Payment Card Industry (PCI) requirements that restaurants already follow if they accept payment cards, and would differ from the new “chip” or EMV card processes many restaurateurs are now implementing.

OUR ASK: Support legislation that requires reasonable data security standards and establish one national process for notifying customers about a data breach. Oppose legislation that imposes heavy-handed and costly government requirements for data security