[Congressional Record Volume 157, Number 86 (Wednesday, June 15, 2011)]
[Senate]
[Pages S3836-S3837]
From the Congressional Record Online through the Government Publishing Office [www.gpo.gov]

      By Mr. PRYOR (for himself and Mr. Rockefeller):
  S. 1207. A bill to protect consumers by requiring reasonable security 
policies and procedures to protect data containing personal 
information, and to provide for nationwide notice in the event of a 
security breach; to the Committee on Commerce, Science, and 
Transportation.
  Mr. ROCKEFELLER. Mr. President, I rise to say a few words on the 
introduction of the Data Security and Breach Notification Act. Senator 
Pryor and I introduced this bill in the 111th Congress, and given the 
recent high-profile data breaches that have endangered the well-being 
of millions of ordinary American consumers, today's reintroduction of 
this comprehensive bill is

[[Page S3837]]

timely. I want to thank and commend Senator Pryor for his leadership on 
this issue and for his terrific work as Chairman of the Consumer 
Protection Subcommittee on the Commerce Committee.
  As the recent breaches at Citigroup, Sony, and Epsilon have taught 
us, companies that collect and store sensitive consumer information 
should have two important obligations: to maintain that information in 
a manner that is safe and secure; and to notify affected consumers as 
quickly as possible in the wake of a security breach in order to allow 
them to take necessary steps to protect themselves. Senator Pryor's and 
my bill addresses both of these obligations. Currently, 47 States have 
data breach notification laws on the books, but very few address how 
companies should secure their data from the outset to prevent such 
breaches.
  Our bill calls on the Federal Trade Commission to promulgate 
regulations that direct companies to establish and maintain reasonable 
protocols to secure consumer data from unauthorized access. In this 
regard, the bill also has specific provisions addressing data brokers, 
which are companies that collect and sell massive amounts of 
information on individuals, largely without their knowledge. The Data 
Security and Breach Notification Act would allow consumers to access 
and, if necessary, correct the personal information that these data 
brokers maintain and sell.
  Furthermore, if a security breach occurs, our bill requires companies 
to notify affected consumers unless there is no reasonable risk of 
identity theft, fraud or unlawful conduct. This breach notification 
standard is very important and reflects the most consumer-protective 
standard in the country. The presumption is that companies should 
notify consumers of a breach. However, if the breached entity 
determines that there is no reasonable risk of harm, for instance, if 
the company has made the data unusable through advanced encryption 
technology, then they are spared this obligation. The FTC and state 
Attorneys General are tasked with enforcing the law.
  The Commerce Committee has a long, well-established history of 
addressing data security issues, and the Committee has reported data 
security bills in past Congresses. As Chairman of the Commerce 
Committee, I intend to work with Senator Pryor to enact this bill into 
law. Majority Leader Reid has introduced a cyber-security bill that 
provides for the inclusion of a data security section, and the Obama 
Administration has also released a cybersecurity proposal that contains 
a breach notification provision. The bill that Senator Pryor and I have 
introduced is a carefully balanced bill that protects consumers, but 
also addresses the legitimate needs of business and does not impose 
needless regulations and obligations. This bill has wide support from 
both the consumer groups and many sectors in the business community, 
and I will work with Senator Pryor to address further concerns in order 
to garner consensus.
                                 ______