Senators reintroduce identity theft measure

A measure reintroduced in the Senate on Wednesday would trump state regulations that seek to protect consumers from identity theft by establishing a national law that requires public and private institutions to safeguard sensitive data and to notify people whose personal information might have been compromised.

The 2010 Data Security Act, introduced by Sens. Tom Carper, D-Del., and Bob Bennett, R-Utah, would affect any entity that maintains individuals' personal data, including financial institutions, retailers and federal agencies. The bill was last introduced in 2007, but did not pass during the 110th Congress. It was modeled after the 1999 Gramm-Leach-Bliley Act, which requires financial institutions to protect against unauthorized access to or use of customer information, and other subsequent regulations.

The bill "also builds on existing law to better ensure federal and state regulators comply with the law and to make certain that data security procedures are uniformly applied," said Carper, during a speech on the Senate floor. He noted that in 2009 a hacker accessed the computer network of Heartland Payment Systems, which processes transactions for retailers and restaurants nationwide, leaving as many as 100 million people at risk of identity fraud or financial theft. "This situation is simply unacceptable and this bill will help address these serious problems," he said.

The measure asks federal agencies to establish "appropriate standards relating to administrative, technical and physical safeguards" to ensure the security and confidentiality of sensitive account information and sensitive personal information that is maintained or communicated by or on behalf of that agency. Agencies also would be required to protect against any anticipated threats or hazards to the security of such information, as well as any misuse that could result in substantial harm or inconvenience to a consumer.

The Office of Management and Budget already requires federal agencies to notify individuals in the event of a breach of their personal information, but the bill would ensure procedures were uniform across public and private entities. At last count, 47 states plus the District of Columbia, New York City and Puerto Rico have their own laws, which vary widely.

"We need to replace the current patchwork of state and federal regulations for identity theft with a national law that provides uniform protections across the country [and makes] it easier for businesses and government agencies to protect all Americans from identity theft and account fraud," Carper said.

This is the latest measure introduced to combat identity fraud. The Data Breach Notification Act, unveiled in January 2009 by Sen. Dianne Feinstein, D-Calif., would authorize the attorney general to bring civil actions against firms that failed to notify people whose personal information had been compromised and would extend notification requirements to government agencies. The Personal Data Privacy and Security Act, introduced in July 2009 by Sen. Patrick Leahy, D-Vt., also would set notification requirements and tighter criminal penalties for identity theft and willful concealment of a breach, and would require businesses to implement preventive security standards to guard against threats to their databases.

Both bills cleared the Senate Judiciary Committee and have been placed on the calendar for consideration by the full Senate.