Chairman Rockefeller Remarks on Today's Legislative Hearing on S.3742, the Data Security Breach and Notification Act of 2010

September 22, 2010

Chairman RockefellerWASHINGTON, D.C.— Thank you, Senator Pryor, for holding this hearing, and I want to commend you for your continued, excellent stewardship of the Consumer Protection Subcommittee.

In today’s economy, a vast array of businesses and organizations maintain information about consumers. When a person buys a book online, the company asks for the name, address and credit card information from the individual. When a student pays his or her tuition, a college may collect that student’s debit card information. Employers gather information about their employees, including background data, and their bank account number for direct deposit. All these entities store consumers’ personal information in databases – some of which are well protected and some of which are not. Every day, consumers run the risk that the entities holding their information will suffer a data breach, and their information will be compromised by no fault of their own.

Data breaches plague businesses and organizations, putting millions of consumers at risk. According to the Privacy Rights Clearinghouse, over half a billion data records have been compromised by unauthorized access to consumer databases since 2005. In 2009 alone, there were 498 data breaches involving 222 million sensitive records.

The consequences of these breaches are grave: identity theft, depleted savings accounts, a ruined credit score, and trouble getting loans for cars, homes and kids are just some of the effects.

To minimize data breaches, deter identity theft and protect consumers, Senator Pryor and I introduced S. 3742, the Data Security and Breach Notification Act of 2010. The legislation establishes needed protections for consumers, while at the same time providing regulatory certainty to businesses.

In S. 3742, Senator Pryor and I address the dangers of data breaches and identity theft by imposing two key mandates on businesses and nonprofit organizations that maintain large consumer databases. First, the bill requires these businesses and organizations to adopt security protocols to reasonably protect their databases from unauthorized access. Second, the bill requires breached entities to notify all affected consumers of data breaches in a timely manner – unless there is no reasonable risk of identity theft or harm to consumers.

The bill also imposes new requirements on information brokers – the companies that amass, organize, and sell vast amounts of American consumers’ information to third party buyers for a profit. Specifically, the Data Security and Breach Notification Act of 2010 gives consumers the right to know what data information brokers are collecting on them; and the right to correct any inaccuracies they may find.

It is important to note that our bill represents a carefully crafted compromise between consumer groups and the business community. On the one hand, consumers get strong protections and aggressive enforcement by states’ attorneys general. On the other hand, the bill creates national standards that facilitate interstate commerce; and the Federal Trade Commission is provided with regulatory flexibility to accommodate technical complexities and small business concerns.

The Commerce Committee has twice reported data security legislation out of Committee. Both times the Senate has failed to take it up on the floor. I fully intend to report this bill out of the Commerce Committee in next week’s markup, and it is my sincere hope that this time – the third time – is the charm. The House has passed data security legislation on voice vote. I hope we can achieve a similar result in the Senate.