Senator Feinstein Urges Colleagues to Pass Data Breach Legislation Following Indictment of Hackers For Attack on U.S. Retail and Banking Networks
Aug 18 2009
Washington, D.C. – U.S. Senator Dianne Feinstein (D-Calif.) today urged Congress to pass her data breach legislation following yesterday’s indictment of three men accused of hacking into American retail and bank computer networks and stealing more than 130 million credit and debit card numbers.
“It’s truly shocking. Many of these people may not have been notified that their debit and credit card numbers were gone. So you have 130 million potential crime victims who may not know that they are potential crime victims,” Senator Feinstein said. “Six years ago I introduced a simple bill which would require that consumers be notified when their personal information has been obtained in a breach. Forty-five states now have laws that require people to be notified but there is no national bill. The time has come to pass this.”
According to the Department of Justice, the alleged culprits (Albert Gonzalez, 28, of Miami and two Russian co-conspirators) infiltrated the computer network of Heartland Payment Systems, a payment processor based in Princeton, N.J.; 7-Eleven Inc.; a regional supermarket chain and two unnamed national retailers.
It’s unclear whether all of the individuals whose card numbers were stolen in this case have been notified and offered new account numbers, since some states require card issuers to notify customers about security breaches, but others do not.
Senator Feinstein’s legislation, the Data Breach Notification Act would provide a unified standard and require that consumers be notified when their personal information has been obtained in a breach.
The Data Breach Notification Act
- Requires businesses and federal agencies to give notice of data breaches without unreasonable delay (unless notification would impede a criminal investigation);
- Requires individual notice, and must include a description of the breach and a toll-free number for more information;
- If more than five thousand people in a given state must be notified, then notice must also be given to major media outlets in that state;
- If more than five thousand individuals must be notified, then the company or agency that is the subject of the breach must coordinate with credit reporting agencies;
- Requires notice to the Secret Service if records of more than 10,000 individuals are obtained or if the database breached has information on more than 1 million people, is owned by the federal government, or involves national security or law enforcement;
- Does not require a federal agency to provide notice if it certifies possible damage to national security or hindrance of a law enforcement investigation;
- Provides a safe harbor if a risk assessment concludes there is no significant risk of harm to individuals and the Secret Service does not overrule that conclusion;
- Does not require notice if a business uses a security program that is designed to prevent financial fraud and provides for notice when a security breach leads to fraudulent transactions;
- Authorizes the Attorney General and State Attorneys General to bring civil actions;
- Supersedes any federal or state law; and
- Is effective 90 days after date of enactment.