(Washington, DC) – Senator Richard Blumenthal (D-CT) introduced the Personal Data Protection and Breach Accountability Act of 2011 last week, legislation to protect consumers from threats to their sensitive personally-identifiable information online and safeguard data security. The bill takes a substantive, multi-pronged approach to combating the risks associated with data breaches for both consumers and businesses, helping to ensure companies take adequate steps to protect individuals from data breaches before they occur, to promote information sharing between companies to help prevent future breaches, and to provide remedies to individual consumers in the wake of data breaches.
Blumenthal said, “My goal is to prevent and deter data breaches that put people at risk of identity theft and other serious harm both by helping protect consumers’ data before breaches occur, and by holding entities accountable when consumers’ personally-identifiable information is compromised. Systems to safeguard such private personal information, and prompt notification in cases of breach, both should be required, along with consumer remedies to compensate for any harm. Personal information can cause devastating damage if it falls into the wrong hands. The protections in this legislation will help provide better security and peace of mind for consumers and businesses in Connecticut and across the country.
In 2011 alone, nearly 23 million cases of data breaches involving personally identifiable information were reported. Blumenthal’s bill aims to combat the growing problem of data breaches involving personal information by:
· Deterring Preventable Breaches: in order to help prevent sensitive personal information from falling into the wrong hands, the bill creates a process for helping companies to establish appropriate minimum security plans to safeguard sensitive consumer information, and holds them accountable for failing to comply with these plans;
· Minimizing Consumer Harm: to allow consumers to take immediate action to protect themselves after a breach, the bill requires companies to promptly notify consumers after a breach has occurred. Additionally, companies are required to provide consumers with a number of remedies to help mitigate the risk of damage and help make them whole again.
· Promoting Technical Information-Sharing: to help prevent future beaches, the bill facilitates better information-sharing between federal agencies, law enforcement, and the private sector to alert businesses of specific threats.
Specifically, Blumenthal’s legislation provides for remedies to greatly reduce the potential harm following a data breach, as companies have a duty to provide the necessary services to prevent or limit the amount of harm that consumers might suffer. By providing the following services to consumers, at no cost, the potential harm following a breach will be greatly reduced:
· Two years of credit monitoring to help consumers monitor unauthorized activity on their accounts so they can take prompt action to protect themselves
· A “security freeze” to allow consumers more control over who can access their credit information. This is vital not only to protect the consumer from an identity thief using the consumer’s information to open new accounts, but also to shield the consumer’s credit information while he or she contests fraudulent activity made by an identity thief.
· Insurance against fraud or reimbursement for actual damages and costs incurred to protect consumers from costs and out-of-pocket expenses stemming from identity theft
Additionally, because the individuals whose sensitive information is compromised suffer the most serious consequences of a security breach, the legislation allows individuals who are harmed to enforce the data security and notification requirements and recover damages for injuries caused by the failure of companies to follow the law.
Blumenthal is a member of the Senate Judiciary Subcommittee on Privacy, Technology, and the Law and has been an outspoken advocate for enhanced consumer protections against data breach incidents and corporate accountability following major data breach incidents this past spring.