Carper Introduces Bill to Protect Against Identity Theft

Legislation Would Apply to Financial Institutions and Government Agencies

WASHINGTON (June 26, 2006) – Sen. Tom Carper, D-Del., joined fellow Senate Banking Committee member Bob Bennett, R-Utah, today in introducing legislation to help protect consumers and businesses from identity theft and account fraud. The new legislation, the Data Security Act of 2006, would require that all entities, not just financial institutions, safeguard sensitive information and notify consumers when there is a security breach that could seriously harm individuals and lead to identity theft. “We used to just worry about people breaking into our homes or stealing our cars, but in the 21st century, we have to worry about people stealing our identities via computers and the Internet,” said Sen. Carper. “Given what we’ve seen happen recently with security lapses at the Veterans Administration and other financial institutions, it’s imperative that we write a national law to help protect consumers from being victims of identity theft. This bill would require all financial institutions, retailers and government agencies to maintain strong internal safety protections for the data they hold, to quickly investigate any security breach, and notify law enforcement, regulators and the public when there’s a real risk of harm.” “The conveniences and efficiencies of the Information Age, which have brought economic benefits and improved quality of life, have also brought new challenges,” said Sen. Bennett, chairman of the Senate Banking Subcommittee on Financial Institutions. “Thieves, cheats and other criminals have also entered the Information Age, and are using information technology to steal from many of us. Too many Americans have become victims of identity theft or account fraud, and these crimes are increasing at an alarming rate. Though current law requires financial institutions to protect the security and confidentiality of customer information, we have to expand this reach. We are not doing enough to protect consumers and businesses from identity theft and account fraud as criminals have shown they can exploit any network weakness, regardless of where they are located.” The Data Security Act of 2006 is modeled after the data security and breach-response regime established under the Gramm-Leach-Bliley Act of 1999 and subsequent regulations. Today, more than 30 states have enacted security breach notification laws, and several others may pass laws this year. Though some are similar, many have inconsistent and conflicting standards, forcing businesses to comply with multiple regulations and leaving many consumers without proper recourse and protections. The new bill requires that all entities – such as financial institutions, universities, retailers and federal agencies –safeguard sensitive information, investigate security breaches and notify consumers when there’s a substantial risk of identity theft or account fraud. That means retailers that take credit card information are now covered; data brokers who compile private information are covered; and government agencies that possess nonpublic personal information are also covered. The bill builds on existing law by requiring federal and state regulators to ensure compliance with the law and to make sure that data security procedures are uniformly applied. If found out of compliance, regulators would have the authority to levy finds, require corrective measures or even bar individuals from working in their respective industries. The bill is being referred to the Senate Banking Committee for hearings and eventual committee action.