Bill would establish clear rules of the road throughout US for public and private entities to help prevent and respond to a data breach
Jan 15 2014
WASHINGTON – Today, Sen. Tom Carper (D-Del.) and Roy Blunt (R-Mo.) introduced the Data Security Act of 2014, which would help better protect consumers from identity theft and account fraud and would establish clear and consistent rules of the road nationally for public and private institutions to follow to prevent and respond to data breaches.
The bill would require entities such as financial institutions, retailers, and federal agencies to better safeguard sensitive information, investigate security breaches, and notify consumers when there is a substantial risk of identity theft or account fraud. These new requirements would apply to businesses that take credit or debit card information, data brokers that compile private information, and government agencies that possess nonpublic personal information.
The Data Security Act would better protect consumers by replacing the current patchwork of state laws and establishing one set of national standards. Today, 49 states and U.S. territories have enacted laws governing data security and data breach notification standards. Inconsistent and conflicting state-by-state standards force public and private entities to comply with multiple regulations, leaving many consumers in a confusing web of regulation depending on the state. This legislation would provide clarity and certainty to all parties involved.
“As the recent incidents involving Target and Neiman Marcus remind us, major data breaches that compromise consumers’ identities and financial security are becoming more routine. These recent breaches, and others before them, underscore the need for Congress to act to protect Americans against fraud and identity theft,” Sen. Carper said. “For millions of Americans, data breaches can cause worry and confusion and, in some cases, serious financial harm. We cannot allow technology advances to outpace the security measures in place to safeguard the transactions we conduct in person and online. This bipartisan and comprehensive approach would better serve consumers by ensuring that businesses and government agencies take the steps necessary to secure personal and financial information and respond swiftly and effectively in the unfortunate event of a breach.”
“New technologies pose new opportunities – as well as new security challenges. As recent headlines have once again reminded us, now is the time to strengthen our nation’s data security and defend consumers against data breaches by both businesses and government agencies,” said Sen. Blunt. “I’m glad to work with Senator Carper again as we continue our bipartisan effort to create consistent, national standards to better protect consumers and businesses from identity theft and account fraud.”
If the financial establishment, retailer, federal agency or other entity determines that sensitive information was compromised or may have been compromised, the Data Security Act of 2014 requires the entity to investigate the scope of the breach, the type of information compromised or potentially compromised, and determine whether the information will likely be used to cause an individual harm or bank fraud. If it is determined that the information was compromised and will cause harm, then the entity must notify the appropriate federal government regulatory agency, law enforcement, national consumer reporting agencies where the breach affects over 5,000 consumers and all consumers affected by the breach.
The Data Security Act of 2014 is modeled after the data security and breach-response regime established under the Gramm-Leach-Bliley Act of 1999 and subsequent regulations. It builds on existing law to better ensure data security procedures are uniformly applied.