None of us is immune to the rash of data breaches that are occurring with ever more frequency.
Recently, we learned about a breach at UCLA Medical Center that involved the private medical records of California first lady Maria Shriver and a host of other public figures. Before that, the U.S. State Department revealed that the passport files of the three major presidential candidates – Sens. Hillary Clinton, Barack Obama and John McCain – were improperly accessed.
At risk were Social Security numbers, dates of birth, addresses and other sensitive personal information.
These are the latest public cases to make headlines. But every year millions of Americans fall victim to data breaches or identity theft. It's time for Congress to take action and give Americans the tools they need to protect themselves.
Congress needs to pass legislation that would require businesses and federal agencies to notify consumers promptly when their sensitive personal data is exposed. We deserve to know. That's why I introduced the Notification of Risk to Personal Data Act. The bill, first introduced five years ago, also:
- Requires consumers to be given a description of the breach and a toll-free phone number to call for more information.
- Requires the media to be notified if the breach involves the data of more than 5,000 people.
- Requires that the company or agency that is the subject of the breach coordinate with credit- reporting agencies if more than 5,000 individuals need to be notified.
- Requires the Secret Service to be notified if the database breached has information on more than 1 million people, is owned by the federal government or involves national security or law enforcement.
Perhaps most important, this legislation would ensure that federal agencies tell us when our sensitive personal information has been exposed.
Currently, there is no requirement that federal agencies do this, which is why several months apparently passed before McCain and Obama heard about the breaches in their passport files. It took even longer in Clinton's case: Her data was accessed more than six months before the State Department told her about it.
This is just plain wrong. The security of personal data is crucial to the privacy of every American. I believe it's vitally important to make sure people know when their data has been exposed. This would allow people to take steps to protect themselves from identity theft – steps they won't take unless they know they are at risk.
The legislation is modeled after California's landmark law that requires notification of data breaches. Currently, there is no uniform standard that applies to companies and federal agencies. Instead, there is a patchwork of laws that differ from state to state – and no data breach law at all on the federal level.
This makes no sense. History has shown that federal agencies are a significant part of the data-breach problem:
- In May 2006, the personal data of 26.5 million veterans and active-duty service members were exposed when computer equipment from the Department of Veterans Affairs was stolen.
- Last year, the Transportation Security Administration reported the loss of a computer hard drive with personal and banking information of about 100,000 current and former workers.
- The U.S. Department of Agriculture exposed the names and Social Security numbers of 38,700 people on a Web site.
- And the Internal Revenue Service – which, by design, collects Americans' most sensitive personal and financial data – lost nearly 500 laptop computers between 2003 and 2006. Over the same period, data breaches were reported 788 times across 17 federal agencies.
Data breaches are not limited to federal agencies. Last year, hackers accessed the credit card and debit card records of more than 45 million people by breaking into the computer network at the TJX Cos., which operate TJ Maxx and other stores. Other significant incidents have happened over the past six months at the Gap and GE Money.
While not all data breaches lead to identity theft, the cost of stolen identities is so enormous – estimated at more than $50 billion per year – that we should be addressing it in every possible way. And it stands to reason that data breaches have helped fuel the vast online market in stolen identities. Credit card information is sold on the Internet for as little as 40 cents per account. A full identity – including a name, address, birth date, Social Security number and even answers to "secret" security questions – can be bought for as little as $1.
Last year, the White House instructed federal agencies to develop breach notification policies and ensure that proper safeguards are in place to protect Americans' personal information held by the federal government.
This in no way goes far enough, as the breach of Clinton's passport file shows. Months passed before she was notified of the incident even though the State Department had already received the White House's instructions on breach notification. Agencies plainly need more than just instructions – what's needed is a federal law that requires them to tell us when the security of our sensitive information is breached.
Congress should act now to make sure that Americans are informed when their sensitive personal data falls into the wrong hands so they no longer will be left to wonder, "Was my personal data revealed?" when they hear about the latest data breach.
Not every data breach will make the national news. But that doesn't mean people whose data are exposed should be left in the dark.