Senator Feinstein, introducing S. 139 [pdf] in Congress today:
Mrs. FEINSTEIN. Mr. President, I rise to introduce the Data Breach Notification Act.
This is a commonsense bill that is aimed at protecting personal information and preventing identity theft. The bill would require businesses and government agencies to notify individuals when their sensitive personal information has been exposed in a data breach.
As many of you know, I have been urging the Senate to adopt this legislation since 2003, when California first imposed a State notification requirement.
That legislation has helped consumers in my State. Federal data breach law would provide uniformity and protect consumers throughout the country.
With every year that passes, the evidence in support of this legislation has only continued to mount.
The cost of identity theft is enormous–estimated at more than $50 billion per year. Some of the costs fall on businesses and banks, which suffer losses from fraudulent transactions. Some of the costs are also borne by consumers, whose finances and credit ratings are disrupted.
Since the beginning of 2005, over 240 million data records containing individuals’ sensitive personal data have been exposed in data breaches.
It seems that not a week goes by without news of another security breach that exposes names, addresses, birth dates, social security numbers, or other personal data.
These breaches have spawned a vast online market in stolen identities. Today, each person whose identity is sold on the internet faces a high risk of becoming a victim of identity theft. Each of them faces the expensive and time-consuming nightmare of trying to restore their finances and credit ratings.
According to a report by the Identity Theft Resource Center, the news media reported more than 620 breaches involving personal information during 2008. That works out to about one data security breach every 14 hours–and those are just the ones that are big enough to be covered in the media.
Recent reports of security breaches involving sensitive personal data point out the extent of the problem.
In December 2008, during a website development project at the Florida Agency for Workforce Innovation, the Social Security numbers of more than a quarter of a million people were accidentally posted online.
In August of last year, an employee working weekends at Countrywide copied customer records from an office computer and then sold the personal information of an estimated 2,000,000 mortgage applicants.
In May of 2007, a breach at the Transportation Security Administration made the names, Social Security numbers, birth dates, payroll information, and bank account information of more than 100,000 former employees vulnerable to theft or sale.
In January of that same year, hackers accessed information held by TJX stores, including more than 45 million credit card numbers and more than 455,000 merchandise records containing customers’ drivers license numbers.
In May of 2006, there was a breach at the Department of Veterans Affairs that involved the names, birth dates, and Social Security numbers of every veteran discharged from the military since 1975–more than 28 million veterans–every veteran discharged from the military since 1975.
Another disturbing example took place last year at the State Department when the passport files of Senator CLINTON, Senator MCCAIN, and Senator OBAMA–the three leading presidential contenders at the time–were accessed by contractors working for the Department. Though the Department knew about the breaches right away, several months passed before our colleagues were told about the problem.
Unfortunately, this delay is not surprising–because there is currently nothing to require a Federal agency to tell us when a security breach affects our personal data.
That needs to change. That’s what my bill does.
Specifically, this legislation requires the Federal Government and private businesses to notify individuals when there has been a security breach involving their sensitive personal data; ensures that the notice is provided without unreasonable delay; creates very limited exceptions to notification for national security and law enforcement purposes, and when law enforcement certifies that there is there is no significant risk of harm to the individual; establishes penalties against those who do not provide the required notice. The provisions of the bill would be enforced by the Federal and State attorneys general; and pre-empts State laws so that there is a single, nationwide notification requirement.
Data security breaches have real consequences. For one thing, they are bad for business because they lead to a loss of confidence–especially in online commerce. A 2005 survey for Consumer Reports showed that 25 percent of Internet users stopped shopping online because of fears about identity theft. Of people who still shopped online, 29 percent said that they had cut back on how often they buy products on the Internet.
Data breaches also pose serious harms for consumers. A November 2007 report from the Federal Trade Commission revealed that identity theft victims spent as much as $5,000 of their own money–and as many as 1,200 hours of their time–recovering from the harm to their finances caused by identity theft.
While not all data breaches lead to identity theft, the cost of stolen identities is so enormous that we should be doing everything we can to solve this problem.
The situation requires action. While Congress has been slow to act, the States have not. In the almost 6 years since the California law took effect, 43 States, the District of Columbia, Puerto Rico, and the Virgin Islands have passed similar laws.
A report issued by the Federal Trade Commission in December 2008 noted that these State data breach notification laws have had several indirect benefits; many businesses across the country have strengthened their safeguard practices in order to avoid data breaches.
By forcing companies to consider the potential cost and liability that may ensue if information is compromised in a data breach, these laws have the indirect benefit of motivating companies to reassess their need to collect personally identifiable information in the first place.
The same benefits would flow from Federal legislation. Additionally, the Data Breach Notification Act would improve the law by creating a single, uniform national standard.
A September 2008 report issued by the President’s Identity Theft Task Force again emphasized the need for a unified Federal standard to replace the patchwork of varied state laws currently in place. The December 2008 FTC report made the same point.
A Federal bill will simplify the process of compliance and notification for
[Page: S117] GPO’s PDF
businesses, while ensuring that all consumers get the information they need as soon as possible when breaches happen.
We have already waited too long. The Judiciary Committee endorsed this bill unanimously during the last Congress. The epidemic of data breaches in our nation continues unabated. This is a common-sense bill that we should take action on now.
I urge the Senate to pass the Data Breach Notification Act to give Americans the information they need to protect themselves from identity theft.
Mr. President, I ask unanimous consent that the text of the bill be printed in the RECORD.
There being no objection, the text of the bill was ordered to be printed in the RECORD, as follows: