Washington—Senator Dianne Feinstein (D-Calif.) introduced legislation that requires the prompt notification of American consumers when their personal and sensitive identifiable information (including Social Security numbers, passwords, or credit card account numbers) is breached and made available to unauthorized users.

According to the Federal Trade Commission, between 8 and 10 million American consumers are victims of identity theft annually.  The Privacy Rights Clearinghouse reports that 500 million records containing sensitive personally identifiable information have been exposed in data breaches since 2005.

“It is past time for Congress to pass a national breach notification standard to ensure that consumers are notified when their information is exposed so they can take the necessary steps to protect themselves,” Feinstein said.  “This bill will protect consumers, cut costs for businesses, and give law enforcement officials additional resources they need to track data attacks.”

The Data Breach Notification Act of 2011 will:

Protect Consumers

• Earlier this year, a giant security breach at Epsilon (an online marketing firm), exposed the personal information of millions of American consumers.  The breach raised serious concerns that data thieves would use this personal information to subject consumers to targeted, fraudulent e-mails and trick people into turning over even more personal information.   
• Last year, data thieves acquired identity data on roughly 3.3 million student loan borrowers from the Educational Credit Management Corp. – a number that accounts for almost five percent of all federal student loan recipients.  The data included names, addresses, Social Security numbers, and other personal data.
• Recently a major breach hit Citibank, exposing the information of more than 360,000 bank customers.  Another massive data breach exposed information about more than 100 million Sony customers. 
• In California, the state Department of Public Health was hit by its second major data breach this year, affecting thousands of current and former state employees.

Cut Costs for Businesses

• Under some estimates, the business community loses as much as $48 billion annually in fraudulent transactions involving stolen identities.  Under the current legal framework, businesses must comply with 46 different state laws to determine what kind of notice is necessary when a data breach occurs.  Senator Feinstein’s legislation creates a single standard for companies to follow.

Give Law Enforcement Official Additional Resources

• Jeffrey Troy, Deputy Assistant Director of the FBI’s Cyber Division, urged businesses in 2009 to support federal breach notification legislation because federal officials need to receive information about data breaches in order to stop similar attacks at other organizations.  “Connecting the dots is critical to this effort,” Troy said.  

###