Sens. Carper, Blunt Introduce Bill to Better Protect Consumers from Identity Theft

Legislation Applies to Financial Institutions, Retailers, and Government Agencies

WASHINGTON – Today, Sens. Tom Carper (D-Del.) and Roy Blunt (R-Mo.) reintroduced legislation that helps protect consumers and businesses from identity theft and account fraud.

The Data Security Act of 2011 would require entities such as financial establishments, retailers, and federal agencies to safeguard sensitive information, investigate security breaches and notify consumers when there is a substantial risk of identity theft or account fraud. These new requirements would apply to retailers who take credit card information, data brokers who compile private information and government agencies that possess nonpublic personal information.

The bill also better protects consumers by replacing the current patchwork of state laws and establishing one set of national requirements. Today, 49 states and U.S. territories have enacted laws governing data security and data breach notification standards. Although some state laws are similar, many have inconsistent and conflicting standards, forcing businesses to comply with multiple regulations, and leaving many consumers without proper recourse and protections.

“Over the past few decades, our society has become increasingly dependent on informational technology, including consumers, government, and businesses of all kinds,” said Sen. Carper. “While we have reaped enormous benefits from this powerful technology and innovation, millions of Americans are at risk for identity theft because of the vulnerability surrounding sensitive personal information. It seems nearly every other day there is a report of American consumers’ highly sensitive personal information being compromised by a store, a school or some third party data center.”

“At the very least, identity fraud can cause worry and confusion, and at the very most it can cause serious financial harm,” continued Sen. Carper. “We need to replace the current patchwork of state and federal regulations for identity theft with a national law that provides uniform protections across the country. This comprehensive approach will better serve consumers by making it easier for businesses and government agencies to take the steps necessary to adequately protect all Americans from identity theft and account fraud.”

“New technologies have greatly expanded the ways we access information and conduct day-to-day business, but these new tools also pose new security challenges that we must address as a nation,” said Sen. Blunt. “This bill will help ensure that businesses and government agencies have consistent, national standards across the board as we work to protect consumers’ personal information and prevent identity theft.”

If the financial establishment, retailer, federal agency or other entity determines that sensitive information was compromised or may have been compromised, the Data Security Act of 2011 requires the entity to investigate the scope of the breach, the type of information compromised or potentially compromised, and determine whether the information will likely be used to cause an individual harm or bank fraud. If it is determined that the information was compromised and will cause harm, then the entity must notify the appropriate federal government regulatory agency, law enforcement, national consumer reporting agencies where the breach affects over 5,000 consumers and all consumers affected by the breach.

The Data Security Act of 2011 is modeled after the data security and breach-response regime established under the Gramm-Leach-Bliley Act of 1999 and subsequent regulations. It builds on existing law to better ensure federal and state regulators comply with the law and to make sure that data security procedures are uniformly applied. Regulators of entities who do not comply would have the authority to levy finds, require corrective measures or even bar individuals from working in their respective industries.