Bill would establish national rules of the road for public and private entities to help prevent and respond to a data breach
Apr 16 2015
WASHINGTON – Sens. Tom Carper (D-Del.) and Roy Blunt (R-Mo.) have introduced the Data Security Act of 2015 (S.961), which would better protect consumers from identity theft and account fraud by establishing a clear set of national standards that would help the prevention of and response to data breaches at public and private institutions.
The bill would require entities, such as financial institutions and retailers, among other businesses, to better safeguard sensitive information, investigate security breaches, and notify consumers when there is a substantial risk of identity theft or account fraud. These new requirements would apply to businesses and organizations across the board that possess nonpublic personal information.
The Data Security Act would better protect consumers by replacing the current patchwork of state laws and establishing one set of national standards. Today, 49 states and U.S. territories have enacted laws governing data security and data breach notification standards. Inconsistent and conflicting state-by-state standards force institutions to comply with multiple regulations, leaving many consumers in a confusing web of regulation depending on the state. This legislation would provide clarity and certainty to all parties involved.
"Nearly every day it seems we hear of another data breach that has compromised consumers’ sensitive information," Sen. Carper said. "For millions of Americans, these data breaches can cause worry and confusion and, in some cases, significant financial harm. Yet despite the increasing frequency and scope of data breaches, there still is no single federal law that provides clear, consistent, and comprehensive protection to American consumers impacted by a data breach. Instead, consumers have to hope that they're covered by a patchwork of state-based data breach laws. For nearly a decade I've worked to ensure that we have common sense measures in place to safeguard the transactions we conduct every day in person and online. Our bipartisan and comprehensive legislation would better serve consumers by ensuring that entities handling secure personal and financial information take the steps necessary to protect it and respond swiftly and effectively in the unfortunate event of a breach. I am hopeful that my colleagues will join me and Senator Blunt in supporting this legislation because it's long past time for Congress to act to implement a national data breach law."
"As the role of the Internet in Americans' daily lives is constant and evolving, so is the job of protecting and securing private citizens' personal information," Sen. Blunt said. "I'm pleased to join Senator Carper again on this bipartisan effort to provide better protection for consumers and more clarity for businesses through consistent national standards for data security and breach notification."
If the financial establishment, retailer, or other entity determines that sensitive information was compromised or may have been compromised, the Data Security Act of 2015 requires the entity to investigate the scope of the breach, the type of information compromised or potentially compromised, and determine whether the information will likely be used to commit identity theft or fraud. If it is determined that the information was compromised and will cause harm, then the entity must notify the appropriate federal government regulatory agency, law enforcement, national consumer reporting agencies where the breach affects more than 5,000 consumers and all consumers affected by the breach.
The Data Security Act of 2015 is modeled after the data security and breach-response regime established under the Gramm-Leach-Bliley Act of 1999 and subsequent regulations. It builds on existing law to better ensure data security procedures are uniformly applied.