Washington, DC - At a hearing of the Senate Judiciary Subcommittee on Terrorism, Technology, and Homeland Security, Senator Dianne Feinstein (D-Calif.) today called on her colleagues to approve legislation which she sponsored that would require businesses or government agencies to notify individuals if a database has been broken into and personal data has been compromised, including Social Security numbers, driver's licenses and credit cards.

The following is the prepared text of Senator Feinstein's statement:

"Good morning. I am delighted that we are having this hearing today to discuss the ever-growing problem of identity theft and the measures that are needed to protect consumers in this country from this terrible crime which plagued nearly one million Americans last year. Over the last several years, identity theft ranks as the leading consumer fraud complaint filed with the Federal Trade Commission.

The type of protection we are here to discuss is the rights of consumers to be notified if their personal information has been stolen from a database run by the government or by any private company.

I want to thank my colleague and friend Senator Kyl for chairing this hearing so that we can discuss the scope of the problem and how to solve it.

This problem requires our attention because all Americans are consumers. We are all potential victims of the crime of identity theft. Because the problem has a national scope, in June of this year, I introduced the Notification of Risk to Personal Data Act. This legislation requires the government or private entities to notify individuals when their most sensitive personal information is stolen from a government or corporate database.

The personal information includes Social Security numbers, driver's license numbers, credit card numbers, debit card numbers, or financial account numbers.

In most cases, if authorities know that someone is a victim of a crime, the victim is notified. But that isn't the case if an individual's most sensitive personal information is stolen from an electronic database.

I strongly believe individuals have a right to be notified when their most sensitive information is compromised - because it is truly their information. And they have the right to decide what actions they want to take once a breach has been discovered.

Unfortunately, data breaches are becoming all too common and current law does not require notification to consumers when these breaches occur. Consider the following incidents which have compromised the records of hundreds of thousands of Americans.

• In August of this year, Daniel Baas was arrested and charged by federal prosecutors in Ohio with breaking into the computer databases of a company called Axiom Corporation which analyzes consumer databases for a variety of companies, including several Fortune 500 firms and downloading sensitive information about some of its clients' customers. The affidavit which was filed by law enforcement stated that Baas claimed he had access to private phone databases from Cincinnati Bell, AT&T Mobile, Sprint PCS and Nestle. This breach has caused Axiom about $1.5 million in damage.
  

• In February 2003, a hacker gained access to ten million Visa, MasterCard, American Express Card and Discover Card numbers from the databases of a credit processor, DPI Merchant services of Omaha, Nebraska. Company officials maintained that the intruder did not obtain any personal information for these card numbers such as the account holder's name, address, telephone number or Social Security number. However, at least one bank canceled and replaced 8,800 cards when it found out about the security breach.



• On April 5, 2002, a hacker broke into the electronic records of the Steven P. Teale Data Center, the payroll facility for California state employees. The hacker compromised files containing the first initials, middle initials, and last names, Social Security numbers, and payroll deduction information of approximately 265,000 people.



• On December 14^th, 2002, TriWest Health Care Alliance, a company that provides health care coverage for military personnel and their families, was burglarized. Personal information including names, addresses and Social Security numbers of over 500,000 military service members, dependents and retirees were stolen from the company's computer databases. I understand that Mr. McIntyre, the President and CEO of TriWest is here today to talk about what happened in his company, the steps that his company took to notify their beneficiaries, and steps that his company has taken since this breach to try and avoid these problems in the future.

These are just some examples of the types of breaches that are occurring today and states are taking action. My own state of California has a state notification law which requires companies or agencies to tell individuals of the misappropriation of their personal data. But this is a national problem and requires a national solution.

Let me take a moment to describe the legislation I introduced this past June:

The legislation requires a business or government entity to notify an individual when there is a reasonable basis to conclude that a hacker or other criminal has obtained unencrypted personal data maintained by the entity.

Personal data is defined by the bill as an individual's Social Security number, State identification number, driver's license number, financial account number, credit card number, or credit card number.

The legislation's notification scheme minimizes the burdens on companies or agencies that must report a data breach.

In general, notice would have to be provided to each person whose data was compromised in writing or through e-mail. But there are important exceptions.

First, companies that have developed their own reasonable notification policies are given a safe harbor under the bill and are exempted from its notification requirements.

Second, encrypted data is exempted.

Third, where it is too expensive or impractical (e.g, contact address information is incomplete) to notify every individual who is harmed, the bill allows entities to send out an alternative form of notice called "substitute notice." Substitute notice includes posting notice on a website or notifying major media.

The bill has a tough, but fair enforcement regime. Entities that fail to comply with the bill will be subject to fines by the Federal Trade Commission of $5,000 per violation or up to $25,000 per day while the violation persists. State Attorneys General can also file suit to enforce the statute.

Additionally, the bill would allow California's new law to remain in effect, but preempt conflicting state laws. It is not fair to put companies in a situation that forces them to comply with database notification laws of 50 different states.

I look forward to working with my colleagues to pass this important legislation. This bill will give all Americans more control and confidence about the safety of their personal information. Americans will have the security of knowing that should a breach occur, they will be notified and be able to take protective action. All Americans deserve that sense of security.

If individuals are informed of the theft of their Social Security numbers or other sensitive information, they can take immediate preventative action.

• They can place a fraud alert on their credit report to prevent crooks from obtaining credit cards in their name;

• They can monitor their credit reports to see if unauthorized activity has occurred;



• They can cancel any affected financial or consumer or utility accounts;

• They can change their phone numbers if necessary;

Prompt notification will also help combat the growing scourge of identity theft. According to the Identity Theft Resources Center, a typical identity theft victim takes six to 12 months to discover that a fraud has been perpetuated against them.

I look forward to hearing the testimony today so that we can get a fuller picture of the problem of database security breaches and the preventative steps companies are taking to address these problems and to notify individuals when these breaches arise."

A summary of the bill is attached.

The "Notification of Risk to Personal Data Act" would set a much needed national standard for notification of consumers when a database breach occurs. Specifically, the legislation would:

• Require a business or government entity to notify an individual when there is a reasonable basis to conclude that a hacker or other criminal has obtained unencrypted personal data maintained by the entity;
  
• Define as personal data an individual's Social Security number, driver's license number, state identification number, bank account number, or credit card number;
  
• Subject entities that fail to comply with fines by the Federal Trade Commission of $5,000 per violation or up to $25,000 per day while the violation persists (State Attorneys General can also file suit to enforce the statute); and


• Allow California's new law to remain in effect, but preempt conflicting state laws, so as not to put companies in a situation that forces them to comply with database notification laws of 50 different states.

The legislation's notification scheme minimizes the burdens on companies or agencies that must report a

database breach, and in general, notice would have to be provided to each person whose data was compromised in writing or through e-mail. But there are important exceptions:

• Companies that have developed their own reasonable notification policies are given a safe harbor under the bill and are exempted from its notification requirements;
  
• Encrypted data is exempted; and
  
• Where it is too expensive or impractical (e.g, contact address information is incomplete) to notify every individual who is harmed, the bill allows entities to send out an alternative form of notice called "substitute notice." Substitute notice includes posting notice on a website or notifying major media.

Substitute notice would be triggered if any of the following factors exist:

(i) the agency or person demonstrates that the cost of providing direct notice would exceed $250,000;
(ii) the affected class of subject persons to be notified exceeds 500,000; or
(iii) the agency or person does not have sufficient contact information to notify people whose information is at risk.

###