[Congressional Record Volume 160, Number 18 (Thursday, January 30, 2014)]
[Senate]
[Pages S656-S657]
From the Congressional Record Online through the Government Publishing Office [www.gpo.gov]

      By Mr. ROCKEFELLER (for himself, Mrs. Feinstein, Mr. Pryor, and 
        Mr. Nelson):
  S. 1976. A bill to protect consumers by requiring reasonable security 
policies and procedures to protect data containing personal 
information, and to provide for nationwide notice in the event of a 
breach of security; to the Committee on Commerce, Science, and 
Transportation.
  Mr. ROCKEFELLER. Mr. President, today, I am introducing the Data 
Security and Breach Notification Act of 2014. I introduce this bill 
with my good friend, Senator Feinstein, Chairman of the Intelligence 
Committee, as well as Senators Pryor and Nelson, valued Subcommittee 
Chairmen on the Senate Commerce Committee. I want to express my 
particular gratitude to Senator Pryor for his work on this issue. He 
has long been the champion of data security legislation on the Commerce 
Committee, and his well-known commitment and expertise on this issue, 
as well as his support of our current bill, have proven to be 
indispensable.
  While the recent breaches at Target and Neiman Marcus have made 
headlines, these breaches are nothing new. Data breaches have happened 
before, and they will inevitably occur in the future. Understanding 
this, there is much more that can be done to prevent breaches and, when 
they occur, respond to them.
  Similarly, the concepts in today's bill are not new and have been 
considered by Congress before. The bill that Senators Feinstein, Pryor, 
Nelson, and I introduce today is not a significant departure from the 
bill that Senator Pryor and I introduced in the past two Congresses. 
Like the earlier bills, it is predicated on basic principles: companies 
should adopt strong security protocols to protect consumers' personal 
information; they should quickly notify affected consumers in the event 
of a breach; and the Federal Trade Commission, FTC, and State attorneys 
general should be empowered to fully enforce the law. With those 
principles as a framework, the bill we introduce today has four key 
elements.
  First, it directs the FTC to promulgate rules establishing robust 
data security protocols that companies and nonprofits must adopt when 
collecting and storing consumers' personal information. These rules 
will be strong, but they will also be flexible. We recognize that 
security measures for a large multi-billion-dollar corporation may not 
be appropriate for a small business. As such, the Commission is 
required to consider the impact on small businesses and other 
mitigating factors in developing its rules.
  Second, the bill requires breached companies to notify affected 
consumers unless there is no reasonable risk of identity theft, fraud, 
or other unlawful conduct. In so doing, the breached company must also 
provide those consumers with free credit reports. If companies adopt 
advanced technologies that render their personal data unreadable, 
indecipherable, or otherwise unusable, there is a rebuttable 
presumption that no risk to consumers exists. The FTC, in consultation 
with the National Institute of Standards and Technology, shall 
establish guidelines identifying the technologies that would qualify 
for this rebuttable presumption.
  Third, the bill will establish a two-pronged enforcement system, 
whereby the FTC and state Attorneys General are afforded not only 
traditional equitable remedies but civil penalty authority as well. 
Moreover, the bill makes it a criminal offense for anyone to knowingly 
conceal a data breach.
  Lastly, our bill will require companies to report data breaches to a 
designated Federal government entity as established by the Department 
of Homeland Security. This entity will serve as a central repository 
for information on all data breaches of a certain magnitude and will, 
in turn, notify other relevant Federal and law enforcement agencies, 
such as the Department of Justice, Secret Service, FTC, and affected 
State Attorneys General.
  I would like to note that, while the impetus behind introducing this 
bill is to provide consumers with the strongest protections possible, 
the bill will also provide businesses with regulatory certainty--
something they currently lack. Our bill will finally codify into 
regulation what the FTC is already doing; that is, the Commission has a 
long history of bringing enforcement

[[Page S657]]

actions against companies for negligent data security practices as 
violations of the FTC Act's broad prohibition against ``unfair or 
deceptive acts or practices.'' Indeed, the Commission is currently 
embroiled in numerous data breach cases. The FTC's new data security 
rules mandated by our bill will finally provide more explicit detail to 
industry regarding the rules of the road. Importantly, the bill will 
create one set of Federal rules; it will preempt State laws with regard 
to data security and breach notification so that companies no longer 
have to operate under a patchwork of differing state laws.
  Notwithstanding my frustration over Congress's decade-long failure to 
pass meaningful data security legislation, I remain hopeful that this 
year will be different. The American public is demanding that we do 
something about a problem that is only getting worse. As I noted 
earlier in my remarks, there will be more data breaches in the future--
it is inevitable. And the consequences are not trivial. Not only do 
these data breaches impose potentially devastating financial 
consequences on consumers who are victimized by identity theft and 
other financial fraud, these breaches also threaten basic consumer 
privacy. Companies continue to collect, aggregate, and house an 
unfathomable amount of personal information about all of us. These same 
companies must guard that information with the highest of security 
standards. While I am not naive to think our bill will prevent all data 
breaches of the future, I am confident that it will go a long way 
towards pushing companies to do more--much more. And it will finally 
provide consumers with peace of mind that--when a breach does occur--
they will be notified as soon as possible so they may take the 
necessary steps to protect themselves.
  I thank Senators Feinstein, Pryor, and Nelson for helping me on this 
important bill.

                          ____________________