WASHINGTON, D.D.—U.S. Senators Mark Pryor (D-AR) and John D. (Jay) Rockefeller IV (D-WV) today introduced legislation to require businesses and nonprofit organizations that store consumers’ personal information to put in place strong security features to safeguard sensitive data, alert consumers when this data has been breached, and provide affected individuals with the tools they need to protect their credit and finances. Currently, there is no single federal standard for guarding many types of consumer information.

“Data security breaches can wreak havoc on people’s lives, leading to identity theft and threatening families’ financial stability,” said Senator Pryor, Chairman of the U.S. Senate Subcommittee on Consumer Protection, Product Safety, and Insurance. “As more and more of our personal information is collected and stored online and on computers, we need to ensure that the businesses storing this information are keeping it safe and giving us quick warning if it falls into the wrong hands. Our legislation will provide strong security and notification standards and help Americans sleep easier at night.” 

“An estimated 9 million Americans have their identities stolen each year, resulting in destroyed credit ratings and legal troubles,” said Senator Rockefeller, Chairman of the U.S. Senate Committee on Commerce, Science, and Transportation. “Consumers are placed at risk of identity theft, fraud, and other harm when bad actors get access to their personal information as a result of security breaches. Companies and other entities who collect and maintain data on individuals should keep this information safe and notify consumers if it is compromised. That is what this common sense bill requires. I thank Senator Pryor for his leadership on this issue.”

The Data Security and Breach Notification Act of 2010 would require entities that own or possess data containing personal information to establish reasonable security policies and procedures to protect that data. If a security breach occurs, entities would have to notify each individual whose information was acquired or accessed as a result of the breach within 60 days. Affected consumers would be entitled to receive consumer credit reports or credit monitoring services for two years, as well as instructions on how to request these services.

Data security breaches and identity theft are a growing problem in the United States. In 2009, the business industry experienced the greatest number of data breaches (41.8%), followed by government/military (18.1%) and education sectors (15.7%). Examples of recent data security breaches within the past 5 years include:

• TJ Maxx experienced an “unauthorized intrusion” into its computer system, revealing an undisclosed number of customers’ credit and debit card information.

• Four laptops were misplaced from Starbucks’ headquarters, containing the names, addresses, and social security numbers of 60,000 employees.

• Hackers broke into AT&T’s computer system, revealing credit card information of 19,000 customers who purchased equipment from AT&T’s online store.

• A laptop was stolen from a Boeing employee’s car, disclosing the names, addresses, social security numbers, dates of birth, and salary information of 400,000 employees.

• A laptop was stolen from a Safeway manager’s home, revealing the names, social security numbers, and work locations of 1,200 employees.

###