Senators try again on identity theft bill

Senators Tom Carper (D-Del.) and Bob Bennett (R-Utah) re-introduced a bill Wednesday that would require companies to notify consumers when their personal information has been stolen.

The bill would replace a system of state data breach notification laws with a national framework clarifying what constitutes personal or sensitive information — any information that can be used to steal from a consumer, commit identity theft, or be used for other criminal activities. The bill also requires organizations to notify consumers within a reasonable timeframe if their information has been breached.

Carper and Bennett have introduced similar legislation in previous sessions, but a senior Senate aide said the current focus on cybersecurity makes this their best chance of getting the bill passed. The aide also said the Obama administration recognizes the severity of the identity theft problem and is anxious to find a solution.

The legislation would apply to any organization that collects private or sensitive information from the public, including businesses, schools and government institutions. The bill requires that the organizations disclose all breaches but does not introduce any new penalties if they fail to do so.

Instead the lawmakers rely on existing regulations that require companies to adequately protect consumer information or face fines, public notification, or other regulatory penalties. Enforcement will fall to various regulatory agencies, depending on the sector in which the breach occurs; financial institutions that lose customer information must notify the Securities and Exchange Commission or Federal Deposit Insurance Corporation, while other groups may report to the Federal Trade Commission.

“We live in an Information Age where technology provides greater ease and business opportunities for Americans, but also increases the ability for criminals to exploit any weak link in the cyber-world,” Bennett said. “In the event that protection is violated, putting victims of identity theft or account fraud at risk, [the bill] provides a much needed uniform national standard for data security and breach notification.”