[Congressional Record Volume 160, Number 18 (Thursday, January 30, 2014)]
[Senate]
[Pages S656-S657]
From the Congressional Record Online through the Government Publishing Office [www.gpo.gov]
By Mr. ROCKEFELLER (for himself, Mrs. Feinstein, Mr. Pryor, and
Mr. Nelson):
S. 1976. A bill to protect consumers by requiring reasonable security
policies and procedures to protect data containing personal
information, and to provide for nationwide notice in the event of a
breach of security; to the Committee on Commerce, Science, and
Transportation.
Mr. ROCKEFELLER. Mr. President, today, I am introducing the Data
Security and Breach Notification Act of 2014. I introduce this bill
with my good friend, Senator Feinstein, Chairman of the Intelligence
Committee, as well as Senators Pryor and Nelson, valued Subcommittee
Chairmen on the Senate Commerce Committee. I want to express my
particular gratitude to Senator Pryor for his work on this issue. He
has long been the champion of data security legislation on the Commerce
Committee, and his well-known commitment and expertise on this issue,
as well as his support of our current bill, have proven to be
indispensable.
While the recent breaches at Target and Neiman Marcus have made
headlines, these breaches are nothing new. Data breaches have happened
before, and they will inevitably occur in the future. Understanding
this, there is much more that can be done to prevent breaches and, when
they occur, respond to them.
Similarly, the concepts in today's bill are not new and have been
considered by Congress before. The bill that Senators Feinstein, Pryor,
Nelson, and I introduce today is not a significant departure from the
bill that Senator Pryor and I introduced in the past two Congresses.
Like the earlier bills, it is predicated on basic principles: companies
should adopt strong security protocols to protect consumers' personal
information; they should quickly notify affected consumers in the event
of a breach; and the Federal Trade Commission, FTC, and State attorneys
general should be empowered to fully enforce the law. With those
principles as a framework, the bill we introduce today has four key
elements.
First, it directs the FTC to promulgate rules establishing robust
data security protocols that companies and nonprofits must adopt when
collecting and storing consumers' personal information. These rules
will be strong, but they will also be flexible. We recognize that
security measures for a large multi-billion-dollar corporation may not
be appropriate for a small business. As such, the Commission is
required to consider the impact on small businesses and other
mitigating factors in developing its rules.
Second, the bill requires breached companies to notify affected
consumers unless there is no reasonable risk of identity theft, fraud,
or other unlawful conduct. In so doing, the breached company must also
provide those consumers with free credit reports. If companies adopt
advanced technologies that render their personal data unreadable,
indecipherable, or otherwise unusable, there is a rebuttable
presumption that no risk to consumers exists. The FTC, in consultation
with the National Institute of Standards and Technology, shall
establish guidelines identifying the technologies that would qualify
for this rebuttable presumption.
Third, the bill will establish a two-pronged enforcement system,
whereby the FTC and state Attorneys General are afforded not only
traditional equitable remedies but civil penalty authority as well.
Moreover, the bill makes it a criminal offense for anyone to knowingly
conceal a data breach.
Lastly, our bill will require companies to report data breaches to a
designated Federal government entity as established by the Department
of Homeland Security. This entity will serve as a central repository
for information on all data breaches of a certain magnitude and will,
in turn, notify other relevant Federal and law enforcement agencies,
such as the Department of Justice, Secret Service, FTC, and affected
State Attorneys General.
I would like to note that, while the impetus behind introducing this
bill is to provide consumers with the strongest protections possible,
the bill will also provide businesses with regulatory certainty--
something they currently lack. Our bill will finally codify into
regulation what the FTC is already doing; that is, the Commission has a
long history of bringing enforcement
[[Page S657]]
actions against companies for negligent data security practices as
violations of the FTC Act's broad prohibition against ``unfair or
deceptive acts or practices.'' Indeed, the Commission is currently
embroiled in numerous data breach cases. The FTC's new data security
rules mandated by our bill will finally provide more explicit detail to
industry regarding the rules of the road. Importantly, the bill will
create one set of Federal rules; it will preempt State laws with regard
to data security and breach notification so that companies no longer
have to operate under a patchwork of differing state laws.
Notwithstanding my frustration over Congress's decade-long failure to
pass meaningful data security legislation, I remain hopeful that this
year will be different. The American public is demanding that we do
something about a problem that is only getting worse. As I noted
earlier in my remarks, there will be more data breaches in the future--
it is inevitable. And the consequences are not trivial. Not only do
these data breaches impose potentially devastating financial
consequences on consumers who are victimized by identity theft and
other financial fraud, these breaches also threaten basic consumer
privacy. Companies continue to collect, aggregate, and house an
unfathomable amount of personal information about all of us. These same
companies must guard that information with the highest of security
standards. While I am not naive to think our bill will prevent all data
breaches of the future, I am confident that it will go a long way
towards pushing companies to do more--much more. And it will finally
provide consumers with peace of mind that--when a breach does occur--
they will be notified as soon as possible so they may take the
necessary steps to protect themselves.
I thank Senators Feinstein, Pryor, and Nelson for helping me on this
important bill.
____________________