With data ID thieves increasingly putting the bite on consumers, U.S. Sen.
Diane Feinstein (D-Calif.) moved Monday to add more teeth to her
two-year-old identity-theft legislative proposal.
Based on a California state law, the bill requires a business or government
agency to notify an individual in writing or by e-mail when it is believed
that personal information has been compromised.
Under opposition from banks and financial institutions, the proposal died in
the 108th Congress. Feinstein reintroduced the legislation in January but
redrafted the bill in light of the high-profile data leaks at ChoicePoint, LexisNexis and Bank of America.
The Senate Judiciary Committee will examine Feinstein’s bill Wednesday, and the notion of a national notification law will likely be a major source of questions to officials from the Federal Trade Commission, the FBI and the Secret Service.
In addition, Douglas C. Curling, president and CEO of ChoicePoint, and
Kurt P. Stanford, president and CEO of LexisNexis’ corporate and federal
markets, are expected to testify.
“We desperately need a strong national standard that says whenever a data
system is breached, everyone who is at risk of identity theft must be
notified,” Feinstein said in a statement.
She added, “The fact of the matter is that your buying habits, your bank
accounts, your Social Security number, your driver’s license — all of your
personal data — today is being collected, collated, distributed, bought,
sold, without your knowledge or consent.”
The legislation proposes a $1,000 per individual civil fine for failure to
notify or not more than $50,000 per day while the failure to notify
continues. The data covered by the bill includes both electronic and
non-electronic information, as well as encrypted and non-encrypted data.
Feinstein’s bill makes only two exceptions to notifying consumers of a data
breach: by the written request of law enforcement for the purposes of a
criminal investigation and for national security purposes.
The measure also allows companies or government agencies to bypass mail or
e-mail notice with a Web site posting or media release. In order to qualify
for the substitute notice, the company or agency must demonstrate that the
cost of providing direct notice would exceed $500,000 or 500,000 individuals
to be notified.
“Every day, we learn that we are more and more at risk from identity
theft — entire databases have been lost, stolen, or hacked into,”
Feinstein said. “First, we heard about ChoicePoint — a case that resulted
in the theft of the personal information of 145,000 Americans — but this
was just the beginning. Now we have watched as wave after wave of data
system theft has come to light, exposing millions of Americans to identity
Feinstein said that while she based her legislation on the California law,
her proposal goes further than the nation’s only ID theft measure. The
California law, for instance, only covers unencrypted electronic data.
In addition, the Feinstein bill lays out specific requirements for what must
be included in the data breach notices, including a description of the data
that may have been compromised and a toll-free number to learn what
information and which individuals have been put at risk.
By contrast, California law is silent on what must be included in data-breach notices to consumers.
The bill also allows individuals to put a seven-year fraud alert on their
credit report, while the California law doesn’t address fraud alerts.