Sens. Carper, Blunt File Amendment to Cyber Security Bill to Better Protect Consumers from Identity Theft

WASHINGTON – Today, Sens. Tom Carper (D-Del.) and Roy Blunt (R-Mo.) filed an amendment to pending cyber security legislation, the Cybersecurity Act of 2012, which would help protect consumers and businesses from identity theft and account fraud.

The amendment, the Data Security Act of 2012, which was based on the Data Security Act of 2011 that was introduced in July 2011, would require entities such as financial establishments, retailers, and federal agencies to safeguard sensitive information, investigate security breaches and notify consumers when there is a substantial risk of identity theft or account fraud. These new requirements would apply to retailers who take credit card information, data brokers who compile private information and government agencies that possess nonpublic personal information.

The Data Security Act would better protect consumers by replacing the current patchwork of state laws and establishing one set of national requirements. Today, 49 states and U.S. territories have enacted laws governing data security and data breach notification standards. Although some state laws are similar, many have inconsistent and conflicting standards, forcing businesses to comply with multiple regulations, and leaving many consumers without proper recourse and protections.

“As our society becomes increasingly reliant on technological advances, including consumers, government, and businesses of all kinds, it is imperative that we do not let technology out-pace our ability to protect Americans’ sensitive personal information and prevent against fraud and identity theft,” said Sen. Carper. “For millions of Americans, identity fraud can cause worry and confusion and, in some cases, serious financial harm. That’s why I, along with Senator Blunt, introduced this amendment to address concerns regarding data breach and to ensure that Americans can be confident that their private and sensitive information is being properly protected. Our bipartisan and comprehensive approach would better serve consumers by making it easier for businesses and government agencies to take the steps necessary to adequately protect all Americans from identity theft and account fraud. By adopting this data breach amendment and passing this broader cyber security bill, we will help usher in a new generation of cyber tools so that our nation can lead by example in both preventing cyber attacks from occurring in the first place, and responding swiftly and effectively to protect consumers in the unfortunate event of an attack. “

“This amendment is critically important as we work to ensure businesses and government agencies have the tools they need to strengthen our nation’s data security,” said Sen. Blunt. “New technologies pose new opportunities as well as new security challenges. I’m proud to work with Senator Carper on this bipartisan measure to create consistent, national standards to protect consumers’ personal information and prevent identity theft.”

If the financial establishment, retailer, federal agency or other entity determines that sensitive information was compromised or may have been compromised, the Data Security Act of 2012 requires the entity to investigate the scope of the breach, the type of information compromised or potentially compromised, and determine whether the information will likely be used to cause an individual harm or bank fraud. If it is determined that the information was compromised and will cause harm, then the entity must notify the appropriate federal government regulatory agency, law enforcement, national consumer reporting agencies where the breach affects over 5,000 consumers and all consumers affected by the breach.

The Data Security Act of 2012 is modeled after the data security and breach-response regime established under the Gramm-Leach-Bliley Act of 1999 and subsequent regulations. It builds on existing law to better ensure federal and state regulators comply with the law and to make sure that data security procedures are uniformly applied.