Digital Version of November/December 2014 Print Edition
Bills introduced to protect Americans’ data privacy
Senators Tom Carper (D-DE) and Roy Blunt (R-MO) reintroduced legislation last week aimed to protect consumers from identity theft and account fraud and to establish a common set of data breach laws across the U.S. for private and public organizations. The legislation comes shortly after another, similar piece of legislation was introduced by Senate Judiciary Committee Chairman Patrick Leahy (D-VT).
The Data Security Act of 2014 would require entities such as financial institutions, retailers, and federal agencies to better safeguard sensitive information, investigate security breaches, and notify consumers when there is a substantial risk of identity theft or account fraud. The new requirements would apply to businesses that take credit or debit card information, data brokers that compile private information, and government agencies holding nonpublic personal information.
It would supersede the current patchwork of U.S. data breach laws, according to its authors; about 49 states and U.S. territories have enacted laws governing data security and data breach notification standards. But such inconsistent standards mean public and private entities need to comply with multiple regulations, which can be inefficient and confusing for consumers. Senators Carper and Blunt also introduced the legislation in the last Congress.
The bill comes after a Jan. 10 announcement by Target that as many as 110 million of its customers may have had their personal data stolen during the holiday shopping season. Target first confirmed the breach on Dec. 19. On Jan. 10, Neiman Marcus also confirmed that it suffered a breach, although the breach’s extent has yet to be confirmed. Both companies have taken steps to notify customers and have said they are working with law enforcement.
“These recent breaches, and others before them, underscore the need for Congress to act to protect Americans against fraud and identity theft,” said Sen. Carper, in a statement. “For millions of Americans, data breaches can cause worry and confusion and, in some cases, serious financial harm. …This bipartisan and comprehensive approach would better serve consumers by ensuring that businesses and government agencies take the steps necessary to secure personal and financial information and respond swiftly and effectively in the unfortunate event of a breach.”
The Act requires organizations to investigate a breach when sensitive information has been compromised. They must also determine the type of information compromised or potentially compromised and determine whether the information will likely be used to cause an individual harm or bank fraud. If the information was compromised and will cause harm, entities must notify law enforcement officials, the appropriate federal government regulatory agency, and affected consumers. National consumer reporting agencies need to be notified when the breach affects over 5,000 consumers.
Another data breach bill, also establishing a national set of laws and including a host of measures aimed at protecting consumers’ personal data was introduced Jan. 8 by Sen. Patrick Leahy (D-Vt.). First introduced in 2005, the Personal Data Privacy and Security Act has been re-introduced in each of the last four Congresses. “Developing a comprehensive national strategy to protect data privacy and cybersecurity remains one of the most challenging and important issues facing our nation,” said Leahy. The bill is cosponsored by Senators Al Franken (D-MN), Chuck Schumer (D-NY), and Richard Blumenthal (D-CT).
Leahy also announced that the issue of data privacy would be the subject of a committee hearing early in the new Senate session.
Another major data breach bill, creating national standards and bolstering data protection was introduced last June by Sen. Pat Toomey (R-PA) and was cosponsored by Senators Angus King (I-MA) and John Thune (R-SD).