Press Releases

Washington, DCU.S. Senator Dianne Feinstein (D-Calif.), Chairman of the Senate Judiciary Subcommittee on Terrorism, Technology and Homeland Security, today called for legislation to be passed that would provide strong protections against identity theft. 

In January, Senator Feinstein reintroduced two pieces of legislation aimed at protecting individuals from identity theft by:

  • requiring businesses to notify consumers in the event of a security breach involving sensitive personal data, and
  • prohibiting the sale or display of an individual’s Social Security number without his or her consent.

The following is the prepared text of Senator Feinstein’s opening remarks for today’s Subcommittee hearing, “Identity Theft: Innovative Solutions for an Evolving Problem”:

“Identity theft is a crime that has many victims.  Most obviously, innocent consumers can become victims of identity theft when a criminal gets hold of sensitive information like a Social Security Number and racks up debt or an arrest record in the consumer’s name. 

The victim might not even know about the problem until he or she applies for a mortgage, a car loan, or a job that requires a background check.  Suddenly, that new house, new car that’s needed for the daily commute, or job opportunity is out of reach.

It might be less obvious, but businesses are also major victims of identity theft.  Under recent estimates, the business community loses as much as 48 billion dollars each year in fraudulent transactions that involve stolen identities. 

And finally, our economy as a whole suffers from the chilling effect of identity theft.  People who are worried about the security of their personal data will avoid making purchases that might put their data at risk. 

Commerce on the Internet is stifled.  And when consumers have fewer options for online commerce, there is less of the competition that fosters innovation and economic success.

Since the beginning of 2005, over 100 million data records containing individuals’ sensitive personal data have been exposed due to data breaches.  That works out to about one in every three Americans.  It could include the personal data of many people in this room today.

Some people whose data has been breached do not even know they are at risk of identity theft.  Some states require notice to affected individuals when a breach happens, but other states do not.

I believe it is vitally important to ensure that people know when their data has been exposed.  The law allows people to take steps to protect themselves from identity theft – but that is of no use unless people know they are at risk.  That is why I have introduced the Notification of Risk to Personal Data Act.

This legislation would require federal agencies and businesses all across the country to give notice of data breaches involving sensitive personal information, unless they conclude – and the Secret Service agrees – that there is no significant risk of harm to the people whose data was accessed.

Today we will talk about why this legislation is needed.  We will also hear from representatives of the Department of Justice and the Federal Trade Commission, which are leading an Identity Theft Task Force that the President created last year.

I am proud that my home state of California has been a leader in the fight against identity theft.  The nation’s first state agency devoted to privacy protection opened in California in 2001, and the head of that agency is here as a witness today.

One of the early steps that California took was to enact a law that requires businesses and government agencies to send people a notice when their sensitive personal information is acquired in a data breach.

Because of that notification requirement, we learned in early 2005 that over 160,000 records with personal data were accessed in a data breach at a company called ChoicePoint.  Many consumers had never even heard of ChoicePoint, let alone knew that the company was holding their personal data.  Yet, on that day, over 160,000 people were put at risk.

More recently, in November 2006, the University of California at Los Angeles was dismayed to discover that a computer hacker had accessed the personal records of up to 800,000 faculty, staff, students, and applicants.  UCLA did the right thing and sent notices to all of those affected.  The university also set up a toll-free hotline for the affected individuals to get more information.  An official from UCLA is here as a witness to describe the university’s experience and show why it is important to give notice of breaches.

Last year the Federal Trade Commission received nearly 250,000 complaints of identity theft.  And even though California is a longtime leader in the fight against this crime, five of the ten cities with the highest number of complaints per capita were in California.

The problem of identity theft is persistent, and it will not be solved without a strong effort from Congress and from all those who investigate and prosecute identity thieves.

Much more needs to be done to eliminate this scourge on our economy and on the privacy of our citizens.  We cannot afford to wait – and today we will learn more about what we can do.”

Background on Senator Feinstein’s Identity Theft legislation

The Notification of Risk to Personal Data Act (S.239): 

  • Requires a federal agency or business entity to notify an individual of a security breach involving personal data without unreasonable delay;
  • Allows limited exemptions for law enforcement and national security reasons;
  • Requires media notice as well as individual notice;
    • Notice must include description of the type of personal data breached and a toll-free number to call for more information;
    • If more than 1,000 individuals must be notified, then the company or agency must coordinate with credit reporting agencies;
  • Requires notice to the Secret Service if records of more than 10,000 individuals are obtained or if the database breached contains more than one million entries, is owned by the federal government, or involves national security or law enforcement;
  • Authorizes the U.S. Attorney General and state Attorneys General to bring civil actions;
  • Supersedes any conflicting federal or state laws; and
  • Authorizes necessary appropriations.

The Social Security Number Misuse Prevention Act (S.238): 
  • Prohibits the sale or display of an individual’s Social Security number to the general public without the individual’s consent;
  • Prohibits federal, state and local government agencies from displaying Social Security numbers on public records posted on the Internet or issued to the general public through CD-ROMs or other electronic media, or from printing them on government checks;
  • Prevents the employment of inmates for tasks that would give them access to the Social Security numbers of other individuals;
  • Provides some limitations on when a business can ask a customer for his or her Social Security number;
  • Requires a study of the current uses of Social Security numbers and the impact on privacy and data security; and
  • Includes both criminal and civil penalties.

In the 109th Congress, Senator Feinstein’s data breach notification measure was included as part of a comprehensive data privacy bill that passed the Judiciary Committee on November 17, 2005, but did not get Senate floor action.