WASHINGTON, D.C.—U.S. Senators Mark Pryor (D-Ark.) and John D. (Jay) Rockefeller IV (D-W.Va.) today reintroduced legislation to require businesses and nonprofit organizations that store consumers’ personal information to put in place strong security features to safeguard sensitive data, alert consumers when this data has been breached, and provide affected individuals with the tools they need to protect their credit and finances. Currently, there is no single federal standard for guarding many types of consumer information.
“If companies are going to collect and store consumers’ personal information, safeguarding that information should be priority number one. Unfortunately, we’re seeing some very popular companies outsmarted by hackers. In fact, since we first introduced this legislation, we’ve seen major data breaches affect customers at Target, Best Buy, Walgreens and Sony,” said Senator Pryor, Chairman of the U.S. Senate Subcommittee on Consumer Protection, Product Safety, and Insurance. “We need to pass strong security and notification standards before this problem spins further out of control.”
“The consequences of data breaches can be grave: identity theft, depleted savings accounts, a ruined credit score, and trouble getting loans for cars, homes and children’s education are just some of the effects. In today’s economy, we simply cannot let this happen,” said Senator Rockefeller, Chairman of the U.S. Senate Committee on Commerce, Science, and Transportation. “Companies that maintain vast amounts of consumer information need to have effective safeguards in place to keep sensitive consumer information secure. By establishing needed protections for consumers and providing more regulatory certainty to businesses the Data Security and Breach Notification Act will do just that.”
The Data Security and Breach Notification Act requires entities that own or possess data containing personal information to establish reasonable security policies and procedures to protect that data. If a security breach occurs, entities would have to notify each individual whose information was acquired or accessed as a result of the breach. Affected consumers would be entitled to receive consumer credit reports or credit monitoring services for two years, as well as instructions on how to request these services.
Data security breaches and identity theft are a growing problem in the United States. In 2009, the business industry experienced the greatest number of data breaches (41.8%), followed by government/military (18.1%) and education sectors (15.7%). Examples of recent data security breaches within the past few years include:
- Epsilon, an online marketing firm that handles email lists for 2,500 companies such as Target, Best Buy, and Walgreens, suffered a data breach that disclosed the e-mail addresses of millions of customers. This breach could lead to phishing attacks—emails disguised to come from a legitimate business but intended to steal more personal information, including account numbers, usernames, passwords or Social Security numbers.
- Hackers broke into Sony’s online network in one of the largest-ever Internet security break-ins, revealing names, addresses, and possibly credit card data of 77 million user accounts.
- TJ Maxx experienced an “unauthorized intrusion” into its computer system, revealing an undisclosed number of customers’ credit and debit card information.
- Four laptops were misplaced from Starbucks’ headquarters, containing the names, addresses, and social security numbers of 60,000 employees.
- Hackers broke into AT&T’s computer system, revealing credit card information of 19,000 customers who purchased equipment from AT&T’s online store.
- A laptop was stolen from a Boeing employee’s car, disclosing the names, addresses, social security numbers, dates of birth, and salary information of 400,000 employees.
- A laptop was stolen from a Safeway manager’s home, revealing the names, social security numbers, and work locations of 1,200 employees.