[Congressional Record (Bound Edition), Volume 163 (2017), Part 11]
[Extensions of Remarks]
[Page 15730]
[From the U.S. Government Publishing Office, www.gpo.gov]




           INTRODUCTION OF THE CYBER BREACH NOTIFICATION ACT

                                 ______
                                 

                          HON. J. LUIS CORREA

                             of california

                    in the house of representatives

                       Thursday, October 5, 2017

  Mr. CORREA. Mr. Speaker, the data breach at Equifax, one of three 
major American credit-reporting companies in the United States, exposed 
the personal and financial information of up to 143 million Americans. 
The data breach gave hackers access to Americans' highly sensitive 
personal and financial information, including Social Security numbers, 
birth dates, home addresses, driver's license numbers, credit card 
numbers, and credit dispute claims.
  The data breach occurred in May 2017, and, the agency became aware of 
the breach on July 29, 2017, but did not report it to the public until 
40 days later. The delay in disclosing the breach is concerning because 
almost half of all Americans' sensitive information could be in the 
hands of cyber criminals, who are willing and ready to use that 
information for identity fraud and other crimes.
  Cyber breaches like this one present a risk to privacy and 
individuals' personal financial welfare. In 2002, I helped pass 
California's data breach law requiring businesses and government 
agencies to notify residents of data breaches. This notification law 
was instrumental in ensuring the public was informed and could mitigate 
harm. It is imperative that breaches are reported in a timely manner 
for individuals to begin taking the appropriate steps in protecting 
their identities and financial information.
  That is why, today, I am introducing the Cyber Breach Notification 
Act to establish federal standards modeled after California's data 
notification law and HIPAA's data notification provisions, which is 
currently in place to notify individuals of data breaches. This 
legislation will require businesses to notify individuals affected by 
data breaches ``in the most expedient time possible and without 
unreasonable delay.'' Additionally, this legislation establishes a 
federal standard for data breach notification laws, but does not 
preempt current state breach notification laws or preclude states from 
creating more robust laws. This will ensure that millions of Americans 
are given proper and timely notice after a data breach to begin to 
mitigate harm.