On July 28, Senators Tom Carper (D-DE.) and Roy Blunt (R-MO) reintroduced S. 1434, the Data Security Act of 2011, to protect consumers and businesses from identity theft and account fraud. The bill would require entities such as financial establishments, retailers, and federal agencies to safeguard sensitive information, investigate security breaches and notify consumers when there is a substantial risk of identity theft or account fraud. The requirements would apply to retailers who take credit card information, data brokers who compile private information, and government agencies that possess nonpublic personal information.
The bill’s sponsors state their proposed bill “better protects consumers by replacing the current patchwork of state laws and establishing one set of national requirements. Presently, 49 states and U.S. territories have enacted laws governing data security and data breach notification standards.”
Senator Carper reiterated an ever increasing theme in the media: “While we have reaped enormous benefits from this powerful technology and innovation, millions of Americans are at risk for identity theft because of the vulnerability surrounding sensitive personal information. It seems nearly every other day there is a report of American consumers’ highly sensitive personal information being compromised by a store, a school or some third party data center.”
“At the very least, identity fraud can cause worry and confusion, and at the very most it can cause serious financial harm,” continued Sen. Carper. “We need to replace the current patchwork of state and federal regulations for identity theft with a national law that provides uniform protections across the country. This comprehensive approach will better serve consumers by making it easier for businesses and government agencies to take the steps necessary to adequately protect all Americans from identity theft and account fraud.” Although some state laws are similar, many have inconsistent and conflicting standards, forcing businesses to comply with multiple regulations, and leaving many consumers without proper recourse and protections.
“New technologies have greatly expanded the ways we access information and conduct day-to-day business, but these new tools also pose new security challenges that we must address as a nation,” said Senator Blunt. “This bill will help ensure that businesses and government agencies have consistent national standards across the board as we work to protect consumers’ personal information and prevent identity theft.”
If the financial establishment, retailer, federal agency or other entity determines that sensitive information was compromised or may have been compromised, the proposed bill the entity to investigate the scope of the breach, the types of information compromised or potentially compromised, and determine whether the information will likely be used to cause an individual harm or bank fraud. If the event will cause harm, then the entity must notify the appropriate federal government regulatory agency, law enforcement, and national consumer reporting agencies where the breach affects over 5,000 consumers and all consumers affected by the breach.
The Data Security Act of 2011 is modeled after the data security and breach-response regime established under the Gramm-Leach-Bliley Act of 1999 and subsequent regulations. It builds on existing law to better ensure federal and state regulators comply with the law and to make sure that data security procedures are uniformly applied. Regulators of entities who do not comply would have the authority to levy finds, require corrective measures or even bar individuals from working in their respective industries.
As previously reported, ISPLA is actively monitoring numerous security breach bills pending before Congress.
ISPLA Director of Government Affairs
Your Proactive Voice from State Capitals to the Nation’s Capital