Senators Roy Blunt (R-Mo) and Tom Carper (D-Del) have introduced a
bill they say will establish national standards for preventing and responding
to data breaches and give consumers more protection from identity theft and
account fraud. S. 961, the Data Security Act of 2015, is similar to a bill
introduced in the previous Congress. Business groups are giving the proposal
strong support.
According to the senators, 51 states and
territories have enacted data security and data breach laws, creating inconsistent
and even conflicting requirements. Nationwide standards would provide clarity
for businesses and consumers.
Bill provisions. The senators say the requirements would cover retailers, financial
institutions, and any other entities that hold consumer’s nonpublic personal
information. In the case of a data security breach, the business would be
required to determine whether sensitive information could have been
compromised. If so, the business would have to determine what information could
have been affected and whether that information could be used to commit
identity theft or account fraud.
The bill also
includes notification standards. If information that could cause harm to
consumers could have been compromised, the business would be required to notify
all affected consumers. Also, if more than 5,000 consumers could be affected,
federal law enforcement and regulatory agencies and national consumer reporting
agencies would be notified.
Business
support. A group of seven leading financial services industry
trade associations has given the bill a strong endorsement. The group says the bill
would require everyone that handles consumers’ sensitive data to have “a robust
process” to protect that data and prevent breaches. The bill also would
“provide meaningful and consistent protections” for consumers.
Separate
statements by group members the Financial Services Roundtable and American Bankers Association suggests
that extending to all businesses the data security requirements that already
are imposed on financial service providers would give consumers better
protection. The ABA adds that protecting consumer data should be “a shared
responsibility.”
For more information about legislative responses to data breaches, subscribe to the Banking and Finance Law Daily.
