Senator
Feinstein Seeks to Ensure Individuals are Notified when Personal Information
is Stolen from Databases
June 26, 2003
Washington DC
-Senator Dianne Feinstein (D-Calif.) introduced legislation today to require
businesses or government agencies to notify individuals if a database
has been broken into and personal data has been compromised, including
Social Security numbers, driver's licenses and credit cards. The bill
is modeled, in part, on a California law that will come into effect on
July 1.
"I strongly believe
individuals have a right to be notified when their most sensitive information
is compromised - because it is truly their information," Senator
Feinstein said. "This is both a matter of principle and a practical
measure to curb identity theft."
"Ask the ordinary
person on the street if he or she would like to know if a criminal had
illegally gained access to their personal information from a database
- the answer will be a resounding yes. And unfortunately, database breaches
are becoming all too common."
Several recent incidents highlight
the need for national legislation. For instance:
- In April 2002, hackers broke into the State of California's Stephen P. Teale Data Center. The hackers illegally gained access to the sensitive personal information of about 265,000 State workers. The breach was not discovered until May 7, 2002 and employees were not notified until May 21, 2002.
- On December 14, 2002, a thief stole laptops and hard drives from Tri West Health Care containing the names, addresses, telephone numbers, birth dates and Social Security numbers of 562,000 military members and their dependents.
- And in February 2003, a
hacker gained access to 10 million Visa, MasterCard, and American Express
numbers by breaking into the database of a credit processor, DPI Merchant
Services of Omaha, Nebraska.
Yet with the exception of California, which has a notification law going into effect next Tuesday, no State or Federal laws exist to require companies or government agencies to notify people if a hacker - or for that matter, another employee - breaks into the entities' database and compromises an individual's personal information.
The "Notification
of Risk to Personal Data Act" would set a much needed national standard
for notification of consumers when a database breach occurs. Specifically,
the legislation would:
- require a business or government entity to notify an individual when there is a reasonable basis to conclude that a hacker or other criminal has obtained unencrypted personal data maintained by the entity;
- define as personal data an individual's Social Security number, driver's license number, state identification number, bank account number, or credit card number;
- subject entities that fail to comply with fines by the Federal Trade Commission of $5,000 per violation or up to $25,000 per day while the violation persists (State Attorneys General can also file suit to enforce the statute);
- and allow California's new law to remain in effect, but preempt conflicting state laws, so as not to put companies in a situation that forces them to comply with database notification laws of 50 different states.
The legislation's notification
scheme minimizes the burdens on companies or agencies that must report
a database breach, and in general, notice would have to be provided to
each person whose data was compromised in writing or through e-mail. But
there are important exceptions:
- companies that have developed their own reasonable notification policies are given a safe harbor under the bill and are exempted from its notification requirements;
- encrypted data is exempted;
- and where it is too expensive or impractical (e.g, contact address information is incomplete) to notify every individual who is harmed, the bill allows entities to send out an alternative form of notice called "substitute notice." Substitute notice includes posting notice on a website or notifying major media.
Substitute notice would be
triggered if any of the following factors exist:
(i) the agency or person demonstrates
that the cost of providing direct notice would exceed $250,000;
(ii) the affected class of
subject persons to be notified exceeds 500,000; or
(iii) the agency or person
does not have sufficient contact information to notify people whose information
is at risk.
"This bill has a tough but fair enforcement regime, and will give ordinary Americans more control and confidence about the safety of their personal information," Senator Feinstein said. "Americans will have the security of knowing that should a breach occur, they will be notified and be able to take protective action."
###