Senators re-introduce bill to improve security, require notification of breaches
The press release issued by the Senators:
Today Senator Tom Carper (D-Del.) joined Senator Bob Bennett, (R-Utah) to re-introduce legislation that helps protect consumers and businesses from identity theft and account fraud.
“It seems nearly every other day there is a report of consumers’ highly sensitive personal information being compromised by a store, a school, or some third party data center,” said Carper. “In a 2009 incident, Heartland Payment Systems – a national company that processes payments for retailers and restaurants located in nearly all 50 states — was hacked, leaving possibly 100 million people at risk of identity fraud or financial theft. Unfortunately this story is all too familiar, as millions of Americans are at risk for identity theft because of the vulnerability surrounding sensitive personal information. At the very least, identity fraud can cause worry and confusion, and at the very most it can cause serious financial harm. We need to replace the current patchwork of state and federal regulations for identity theft with a national law that provides uniform protections across the country. This comprehensive approach will better serve consumers by making it easier for businesses and government agencies to take the steps necessary to adequately protect all Americans from identity theft and account fraud.”
“We live in an Information Age where technology provides greater ease and business opportunities for Americans, but also increases the ability for criminals to exploit any weak link in the cyber world,” said Bennett. “I am pleased to reintroduce this bill along with Senator Carper to help strengthen networks and ensure that personal information is protected. In the event that protection is violated, putting victims of identity theft or account fraud at risk, it provides a much needed uniform national standard for data security and breach notification.”
The Data Security Act of 2010 would require entities such as financial establishments, retailers, and federal agencies to safeguard sensitive information, investigate security breaches, and notify consumers when there is a substantial risk of identity theft or account fraud. These new requirements would apply to retailers who take credit card information, data brokers who compile private information and government agencies that possess nonpublic personal information.
Today, more than 46 states have enacted security breach notification laws. Many states have inconsistent and conflicting standards, forcing businesses to comply with multiple regulations, and leaving many consumers without proper recourse and protections.
The Data Security Act of 2010 is modeled after the data security and breach-response regime established under the Gramm-Leach-Bliley Act of 1999, and subsequent regulations. It builds on existing law to better ensure federal and state regulators comply with the law and to make sure that data security procedures are uniformly applied. Regulators of entities who do not comply would have the authority to levy finds, require corrective measures or even bar individuals from working in their respective industries.
While I like the idea of a unifying law that would cross over sectors, I do not like the “substantial” risk standard. That’s the wrong standard, Senators, as we’ve seen too many cases where entities did not believe that there was any significant risk of harm and yet there was harm.