[Congressional Record Volume 152, Number 84 (Monday, June 26, 2006)]
[Senate]
[Page S6494]
From the Congressional Record Online through the Government Publishing Office [www.gpo.gov]

      By Mr. BENNETT (for himself and Mr. Carper):
  S. 3568. A bill to protect information relating to consumers, to 
require notice of security breaches, and for other purposes; to the 
Committee on Banking, Housing, and Urban Affairs.
  Mr. BENNETT. Mr. President, I rise today with my friend and colleague 
on the Banking Committee, the Senator from Delaware, Mr. Carper, to 
introduce legislation that I believe is of great importance to our 
economy and to American consumers. This legislation, The Data Security 
Act of 2006, will help protect individuals and businesses from the 
crimes of identity theft and account fraud, which are increasing at an 
alarming rate. These crimes impose higher costs on every consumer and 
business and can be financially debilitating to individuals whose 
personal information is stolen.
  We are now living in the Information Age. Information drives our 
economy, from the design and production phase of new products or 
services to payment and delivery. Information technology and electronic 
networks have brought conveniences and efficiencies to both producers 
and consumers in our economy. Producers can better focus their products 
and services to potential customers, and consumers get the products 
they want with multiple payment options. Technology and, specifically, 
information technology makes this process ever more convenient and 
efficient.
  All of the conveniences and efficiencies of the information age which 
benefit our evolving economy and its consumers have also brought new 
challenges. Criminals have also entered the information age and are now 
targeting and using information technology to steal from many of us.
  Information databases and electronic information networks that 
contain sensitive personal information and sensitive financial account 
information are increasingly targets of sophisticated hackers, 
organized crime rings, identity thieves, and other criminals. When an 
individual has his identity or account information stolen from one of 
these sources and criminals use his or her legitimate name and credit 
history to create fraudulent accounts, or fraudulently access an 
existing account, by the time it is discovered, it is often too late to 
prevent that consumer from the need to invest significant time and 
effort to clear his or her name. These crimes also impose significant 
costs on financial institutions which are often liable for the loss of 
funds from the fraud. These costs are then passed on to all consumers 
through higher prices. We need to do more to prevent this type of fraud 
from happening in the first instance.
  Currently, we are only partially protecting consumers from account 
fraud and identity theft. Criminals have shown they know how to exploit 
any weakness in information databases and networks, so we must do more 
to protect this information regardless of where it is located. Most of 
the recent data security breaches have occurred outside of financial 
institutions.
  The Gramm-Leach-Bliley Act requires financial institutions to protect 
the security and confidentiality of customer information. The Federal 
banking agencies have issued guidance under the Gramm-Leach-Bliley Act 
requiring banks to investigate and provide notices to customers of 
breaches of data security involving customer information that could 
lead to account fraud or identity theft. Even with GLB and the 
associated regulations and guidance that have been implemented, many 
databases and information networks continue to be vulnerable because 
Federal law generally does not require entities that are not financial 
institutions to protect the security and confidentiality of sensitive 
information relating to consumers, or to investigate and provide 
notices to consumers of breaches that may lead to account fraud or 
identity theft.

  I recognize that many States have enacted security breach 
notification statutes in an effort to protect their citizens and I 
commend them for their efforts, but these statutes impose different and 
sometimes conflicting requirements, thereby providing consumers with 
uneven protection and subjecting businesses to multiple and confusing 
standards.
  Our credit granting system and financial payments system is a 
national one and not a state based system. Consumers generally benefit 
greatly because of our national system. Because of that fact, I believe 
we need a national uniform system governing data security and security 
breach notification for financial institutions and other entities that 
maintain or communicate financial account information or personally 
identifiable information that could be used by identity thieves.
  The standards established as a result of the guidance issued by the 
Federal banking agencies under the Gramm-Leach-Bliley Act provide an 
appropriate model for Federal data security and security breach 
notification requirements and is, therefore, the model for the Data 
Security Act of 2006.
  The Data Security Act of 2006 will provide a uniform national 
standard for data security and breach notification. Sensitive personal 
and account information must be protected, and in the event where that 
protection is breached and there is a risk to the individual of 
identity theft or account fraud, that individual must be notified so 
that he or she can take the appropriate steps to protect him or her 
self.
  I encourage my colleagues to c1ose}y review this legislation and I 
hope we can act quickly here in the Senate to pass the Data Security 
Act of 2006. I thank my friend from Delaware, Senator Carper, for 
joining with me today to introduce this legislation.
                                 ______