Modernizing Authentication — What It Takes to Transform Secure Access
U.S. Sen. Dianne Feinstein (D-Calif.) introduced legislation Friday to require businesses or government agencies to notify individuals if a database has been broken into and personal data has been compromised, including Social Security numbers, driver's licenses and credit cards.
The Notification of Risk to Personal Data Act would set a national standard for notification of consumers when a database breach occurs. Only California, which has a notification law going into effect Tuesday, requires businesses or government to disclose attacks on databases that compromise an individual's personal information.
Feinstein's legislation is based, in part, on the new California law and requires a business or government entity to notify an individual when there is a "reasonable basis to conclude that a hacker or other criminal has obtained unencrypted personal data maintained by the entity."
The bill defines personal data as an individual's Social Security number, driver's license number, state identification number, bank account number or credit card number.
Businesses or governments that fail to comply with the law would be subject to fines of $5,000 per violation or up to $25,000 per day while the violations persist.
"I strongly believe individuals have a right to be notified when their most sensitive information is compromised -- because it is truly their information," Feinstein said in a prepared statement. "This is both a matter of principle and a practical measure to curb identity theft. Ask the ordinary person on the street if he or she would like to know if a criminal had illegally gained access to their personal information from a database -- the answer will be a resounding yes."
According to Feinstein, the legislation's notification scheme minimizes the burdens on companies or agencies that must report a database breach. Notice would have to be provided to each person whose data was compromised in writing or through e-mail.
Exceptions include companies that have developed their own reasonable notification policies, encrypted data is used, or where it is too expensive or impractical (for instance, contact address information is incomplete) to notify every individual who is harmed.
Substitute notice includes posting notice on a website or notifying major media.
"This bill has a tough but fair enforcement regime, and will give ordinary Americans more control and confidence about the safety of their personal information," Feinstein said. "Americans will have the security of knowing that should a breach occur, they will be notified and be able to take protective action."