The Data Security Act of 2014 would require entities such as financial institutions, retailers, and federal agencies to better safeguard sensitive information, investigate security breaches, and notify consumers when there is a substantial risk of identity theft or account fraud. These new requirements would apply to businesses that take credit or debit card information, data brokers that compile private information, and government agencies that possess nonpublic personal information.
“New technologies pose new opportunities – as well as new security challenges. As recent headlines have once again reminded us, now is the time to strengthen our nation’s data security and defend consumers against data breaches by both businesses and government agencies,” said Blunt. “I’m glad to work with Senator Carper again as we continue our bipartisan effort to create consistent, national standards to better protect consumers and businesses from identity theft and account fraud.”
“As the recent incidents involving Target and Neiman Marcus remind us, major data breaches that compromise consumers’ identities and financial security are becoming more routine. These recent breaches, and others before them, underscore the need for Congress to act to protect Americans against fraud and identity theft,” said Carper. “For millions of Americans, data breaches can cause worry and confusion and, in some cases, serious financial harm. We cannot allow technology advances to outpace the security measures in place to safeguard the transactions we conduct in person and online. This bipartisan and comprehensive approach would better serve consumers by ensuring that businesses and government agencies take the steps necessary to secure personal and financial information and respond swiftly and effectively in the unfortunate event of a breach.”
Additional background on the “Data Security Act of 2014”
- The Data Security Act would better protect consumers by replacing the current patchwork of state laws and establishing one set of national requirements. Today, 49 states and U.S. territories have enacted laws governing data security and data breach notification standards. Inconsistent and conflicting state-by-state standards force public and private entities to comply with multiple regulations, leaving many consumers in a confusing web of regulation depending on the state.
- If the financial establishment, retailer, federal agency or other entity determines that sensitive information was compromised or may have been compromised, the Data Security Act of 2014 requires the entity to investigate the scope of the breach, the type of information compromised or potentially compromised, and determine whether the information will likely be used to cause an individual harm or bank fraud. If it is determined that the information was compromised and will cause harm, then the entity must notify the appropriate federal government regulatory agency, law enforcement, national consumer reporting agencies where the breach affects over 5,000 consumers and all consumers affected by the breach.
- The Data Security Act of 2014 is modeled after the data security and breach-response regime established under the Gramm-Leach-Bliley Act of 1999 and subsequent regulations. It builds on existing law to better ensure federal and state regulators comply with the law and to make sure that data security procedures are uniformly applied.