Legislation that would better protect consumers from identity theft and fraud by establishing a “clear set of national standards that would help the prevention of and response to data breaches at public and private institutions,” has been introduced by former Senate Committee on Homeland Security and Governmental Affairs, Sen. Tom Carper (D-Del.) and Sen. Roy Blunt (R-Mo.).
The bill, Data Security Act of 2015 (S961) would require entities, such as financial institutions and retailers, among other businesses, to better safeguard sensitive information, investigate security breaches and notify consumers when there is a substantial risk of identity theft or account fraud. These new requirements would apply to businesses and organizations across the board that possess nonpublic personal information, Carper and Blunt pointed out in announcing the reintroduction of their legislation.
The Data Security Act “would better protect consumers by replacing the current patchwork of state laws and establishing one set of national standards,” the announcement said, noting, “Today, 49 states and US territories have enacted laws governing data security and data breach notification standards. Inconsistent and conflicting state-by-state standards force institutions to comply with multiple regulations, leaving many consumers in a confusing web of regulation depending on the state. This legislation would provide clarity and certainty to all parties involved.”
“Nearly every day it seems we hear of another data breach that has compromised consumers’ sensitive information,” Carper said. “For millions of Americans, these data breaches can cause worry and confusion and, in some cases, significant financial harm. Yet despite the increasing frequency and scope of data breaches, there still is no single federal law that provides clear, consistent, and comprehensive protection to American consumers impacted by a data breach. Instead, consumers have to hope that they’re covered by a patchwork of state-based data breach laws.”
“For nearly a decade,” Carper continued, “I’ve worked to ensure that we have common sense measures in place to safeguard the transactions we conduct every day in person and online. Our bipartisan and comprehensive legislation would better serve consumers by ensuring that entities handling secure personal and financial information take the steps necessary to protect it and respond swiftly and effectively in the unfortunate event of a breach. I am hopeful that my colleagues will join me and Senator Blunt in supporting this legislation because it’s long past time for Congress to act to implement a national data breach law.”
“As the role of the Internet in Americans’ daily lives is constant and evolving, so is the job of protecting and securing private citizens’ personal information,” Blunt added. “I’m pleased to join Senator Carper again on this bipartisan effort to provide better protection for consumers and more clarity for businesses through consistent national standards for data security and breach notification.”
If a financial establishment, retailer or other entity determines sensitive information was compromised or may have been compromised, the Data Security Act of 2015 would require the entity to investigate the scope of the breach, the type of information compromised or potentially compromised, and determine whether the information will likely be used to commit identity theft or fraud. If it’s determined the information was compromised and will cause harm, then the entity must notify the appropriate government regulatory agency, law enforcement and national consumer reporting agencies where the breach affects more than 5,000 consumers and all consumers affected by the breach.
The Data Security Act of 2015 is modeled after the data security and breach-response regime established under the Gramm-Leach-Bliley Act of 1999 and subsequent regulations, and “builds on existing law to better ensure data security procedures are uniformly applied,” the announcement stated.
"Customers will be better protected if every industry has rigorous data security standards and clear rules requiring notification of consumers after a data breach," said Financial Services Roundtable (FSR) President and CEO Tim Pawlenty. "The parade of data breaches at retailers and elsewhere will likely continue without this legislation.”
FSR quickly announced its support for the bipartisan Data Security Act of 2015, which FSR said “will help prevent data breaches by enacting strong new protections for sensitive financial information and establish uniform guidelines to ensure customers receive timely notification when a breach happens.”
“In addition to calling for the strongest data security standards of any previous legislation,” FSR said, “the bill lays out clear steps a firm must take in the event it suffers a breach that compromises consumer financial information. The steps guarantee that consumers are alerted to the incident and know what steps they can take to protect themselves. This is done by creating a uniform set of national data security and breach notification requirements, while also recognizing that some industries, like financial services and healthcare, already comply with rigorous data security regulations.”