Menendez, Sires Introduce Data Security Legislation in Reaction to Latest Corporate Data Breach

Menendez, Sires Introduce Data Security Legislation in Reaction to Latest Corporate Data Breach

WASHINGTON, DC - In the wake of eBay's announcement that its customers had their personal passwords exposed to hackers, U.S. Senator Robert Menendez (D-NJ) and Congressman Albio Sires (NJ-08) today introduced companion legislation to increase consumer protections and corporate accountability in the event of a data breach.

"This latest data breach confirms what we already know: our data is simply not safe," Sen. Menendez said. "When we shop, every consumer assumes that companies will protect their data by any means necessary. Yet in the last year, we have read far too many stories about hackers getting past corporations' security systems. The American people deserve better than knowing that their information will soon end up in the hands of criminals, and that is why I am introducing legislation that will finally give consumer's rights over their personal information that are long overdue."

"Data breaches, like the ones we've most recently seen with eBay and Target, happen far too often," stated Rep. Sires. "Citizens put their trust in corporations and their security systems every day when they shop, bolstering the economy and providing for their families in the process. It is unfair that they are unprotected as they go about their daily lives. I am pleased to introduce this legislation with Senator Menendez in order to protect consumers' personal information and hold those accountable who fail to keep that information secure."

Earlier this year, Sen. Menendez held a Senate Banking Subcommittee hearing to address the spate of massive data breaches, including the pre-Christmas cyber attack on Target that exposed millions of customers' personal information to hackers. Customers at Michaels and Neiman Marcus were also victimized.

Sen. Menendez wrote Federal Trade Commission Chairwoman Edith Ramirez in December asking if the FTC needs further legislative authority to hold retailers accountable for failures to protect consumers' sensitive data. She responded by urging Congress to enact data security legislation that gives the FTC civil penalty authority as it is superior to the FTC's traditional remedies. The FTC also recommended that Congress establish a general federal breach notification requirement.

Today, eBay announced that hackers broke into their corporate databases between late February and early March. These criminals had access to customers' personal data, including customers' names, account passwords, email and physical addresses, dates of birth, and encrypted passwords. The company only discovered the breach two weeks ago.

The Menendez-Sires Commercial Privacy Bill of Rights is the product of months of engagement with stakeholders and will protect consumers by doing the following:

  • Places limits on both the type of information an entity may collect and for how long it may retain that information.
  • Requires the FTC to issue regulations requiring companies to get consumers' opt-in consentforthe transfer of their covered information to third parties for behavioral advertising or marketing; access and correct any personally identifiable information the entity has stored; and compel those entities to inform their customers of and allow them to exercise their rights.
  • Requires entities to contractually protect consumer information when transferring it to a third party.
  • Creates a uniform data security notification standardto replace the current patchwork notification system and ensure every person has timely notice of a data breach.
  • Provides additional protections for our children through inclusion of the "Do Not Track Kids Act."
  • Avoids unduly burdening businessesby requiring an independent NGO to help companies implement the Act and tasking the Department of Commerce with organizing outside entities towards the creation of safe harbor provisions. This legislation would only apply to entities covered by the FTC that collect, use, transfer, or store certain information concerning more than 5,000 people during a 12 month period. While the bill will be enforced by the Attorney General, State Attorneys Generals, and the FTC; private suits based on the law would be prohibited.

Numerous organizations have long called for consumers' privacy rights legislation. In 2012, the Administration released a report called "Consumer Data Privacy in a Networked World," which called for a consumer privacy bill of rights. A May 1, 2014 report on data collection by White House counselor John Podesta renewed the call for legislation to protect consumers' collected data.

###