Senator Feinstein Calls for Passage of Legislation to Require Prompt Notification When Personal Information Has Been Compromised by Data Breach
Jun 05 2006
Washington, DC – U.S. Senator Dianne Feinstein (D-Calif.) has called for the passage of legislation that would require companies, academic institutions, and government agencies to promptly notify those individuals whose information has been compromised by a data breach. Recently, the VA announced that personal information—including social security numbers and addresses—for more than 26 million veterans had been compromised. The information had been stolen during a break-in at the home of a VA employee who had violated agency regulations to bring home the information.
“It’s time for Congress to set a strong national standard that says whenever a data system is breached, those individuals whose information has been compromised must be notified,” Senator Feinstein said. “Consumers must have the tools they need to protect themselves against the risk of identity theft. In today’s increasingly digitized world, the stakes for continued Congressional inaction are simply too high.”
In letters to Senate Majority Leader Bill Frist (R-Tenn.) and Minority Leader Harry Reid (D-Nev.), as well as Senators Arlen Specter (R-Pa.) and Patrick Leahy (D-Vt.), Chairman and Ranking Member of the Senate Judiciary Committee, respectively, Senator Feinstein urged them to hotline a targeted measure she sponsored.
The bill is currently part of a broader package of identity theft legislation that has been passed out of the Senate Judiciary Committee last November, but has not yet been placed on the Senate Floor calendar for a vote.
Specifically, the Feinstein bill would:
- Provide important assistance to victims, including allowing individuals to put a seven-year fraud alert on their credit report;
- Lay out specific requirements for what must be included in notices to those at risk, including a description of the data that may have been compromised, a toll-free number people can call to learn what information and which individuals have been put at risk, and the numbers and addresses for three major credit reporting agencies; and
- Provide tougher civil penalties — $1,000 per individual the offending institution fails to notify up to a maximum of $50,000 per day while the failure to notify continues.
Following is the text of the letter sent to Senate Majority Frist. Similar letters were sent to Senators Reid, Specter, and Leahy:
“The breach of sensitive personal information of 26.5 million veterans recently once again raises the question of identity theft and, more importantly, what steps the Senate is prepared to take now to protect against this kind of crime.
Chairman Specter and I have talked a number of times about moving ahead with my bill, the Notification of Risk to Personal Data Act (S. 751), if more comprehensive legislation stalls in the Senate. In that regard, the Personal Data Privacy and Security Act (S. 1789) has remained on the Senate Calendar for six months and does not appear to be moving forward.
I would like to ask your support for moving my targeted measure – requiring notification to individuals when a data breach occurs – forward at this time. In fact, I have asked Chairman Specter to sever this section from the larger data privacy and security bill and hotline my bill, S. 751.”