Menendez, Sires Introduce Package of Consumer Protection Bills to Safeguard Americans’ Personal Information from Data Breach, Identity Theft

Menendez, Sires Introduce Package of Consumer Protection Bills to Safeguard Americans’ Personal Information from Data Breach, Identity Theft


WASHINGTON, D.C. – U.S. Senator Bob Menendez (D-N.J.), a senior member of the Senate Banking Committee, and U.S. Representative Albio Sires (N.J.-08) introduced two critical pieces of legislation in both Houses of Congress that together would strengthen protections for consumers’ personal data and establish reasonable accountability measures for businesses and credit reporting agencies that fail to safeguard consumers’ personal information. 

 “Consumers need to be assured that when they hand over personal information to companies such as retailers, banks, insurers, service providers, and credit reporting agencies, that those businesses will do everything they can to protect that private data from hackers and identity thieves, and that there’s accountability for those who don’t,” said Sen. Menendez.  “After a wave of increasingly more wide-scale data breaches, it’s time for Congress to empower consumers and pass stronger data security standards for companies retaining vast troves of sensitive personal information online.”

 “Since Senator Menendez and I first introduced the Commercial Privacy Bill of Rights in 2014, data breaches have presented a growing threat to consumers” said Rep. Sires.  “In the last few months alone, we found out about two major breaches at Equifax and Uber that put the personal information of hundreds of millions of Americans at risk.  It is unacceptable that those impacted by these breaches did not know that their information was compromised for weeks, if not months, after the breaches were discovered.  Congress must act to pass these comprehensive pieces of legislation in order to increase protections for consumers and hold those accountable who fail to keep personal information safe.”


The recent Equifax security breach exposed the vital, personal information of 143 million Americans, including Social Security numbers, addresses, phone numbers, and payment histories used to determine the credit worthiness of those applying for jobs, housing, mortgages, lines of credit, cars and student loans.  An additional 209,000 consumers had their credit card numbers stolen, and another 189,000 people with disputes over their credit history had that information compromised.


Last month, Uber disclosed that the personal information of 57 million customers was stolen last year, but that the rideshare service had paid off the hackers to delete the data.  This came on the heels of other massive data breaches impacting millions of American consumers, including Yahoo, Target, Anthem, LinkedIn, Bank of America, Sony, Home Depot, Neiman Marcus, Staples, Michaels, Forever 21, eBay, J.P. Morgan Chase, Citibank, P.F. Chang’s, and Community Health Systems.


The Consumer Data Protection Act, a comprehensive plan Sen. Menendez first announced in September, would strengthen protections for consumers impacted by data breaches of consumer reporting agencies (“CRAs”).  The legislation holds CRAs accountable for such data breaches and incentivizes better data security practices while at the same time providing impacted consumers with tools to protect themselves.  The National Consumer Law Center, on behalf of its low-income clients, has announced support for the bill.


Consumer Data Protection Act


  • Establishes notification requirements. In the event of a data breach, the bill requires CRAs to notify within two days the FTC, CFPB, and law enforcement agencies.  Impacted consumers must be notified within three days.  The CRAs may receive an extension on this requirement for national security reasons.


  • Levies fines on consumer reporting agencies that fail to protect consumer data. The Consumer Data Protection Act provides the FTC the authority to levy fines against a CRA that negligently, knowingly, or willingly causes a data breach.


  • Provides impacted consumers with tools to protect themselves. The Consumer Data Protection Act requires breached CRAs to provide impacted consumers with the ability to impose or lift credit freezes at no cost for life, as well as providing lifetime credit monitoring services at no cost to consumers. In addition, CRAs are prohibited from including pre-dispute arbitration clauses in post-breach services.


  • Establishes a consumer facing unit to assist consumers with their credit reports. In the event of a data breach, the legislation requires CRAs to create a consumer facing unit in consultation with the CFPB that will provide assistance to consumers in disputing any adverse items entered into a consumer’s file after the date on which the breach occurred. 


  • Creates a Private Right of Action. The Consumer Data Protection Act creates a private cause of action for affected individuals allowing them to vindicate their rights in a court of law. The bill prohibits CRAs from requiring consumers to waive their legal rights if they avail themselves of free credit freezes and credit monitoring services.


  • Requires the CFBP and FTC to Study the Impact on Consumers. The bill requires the CFBP and FTC, in conjunction with the Department of Justice, to conduct a comprehensive study regarding the costs and damages to individuals affected by data breaches at CRAs.


Sen. Menendez and Rep. Sires also reintroduced the Commercial Privacy Bill of Rights, a comprehensive privacy plan they first introduced in response to the 2014 eBay and 2013 Target breaches to strengthen protections for consumers’ sensitive data by providing consumers with greater privacy rights while establishing reasonable accountability measures for businesses. 


The Commercial Privacy Bill of Rights


  • Protects individual privacy and data rights. The legislation places limits on both the type of information an entity may collect and for how long it may retain that information. Companies will only be able to collect as much information as is reasonably necessary to process or enforce transactions or deliver services, prevent fraud, investigate a crime, maintain internal operations, or comply with other provisions of the law. Companies may collect information from an individual for use in marketing to that individual or for R&D aimed at improving or carrying out a transaction or delivering a service. Covered entities must also establish and maintain reasonable procedures to protect covered personally identifiable information.


  • Provides Consumers with participation and notice rights. The bill requires the Federal Trade Commission to issue regulations that meet the following requirements: 1) entities must allow individuals to opt-in to the transfer of their covered information; 2) an entity must allow individuals to access and correct any personally identifiable information the entity has stored; 3) upon termination of the entity-individual relationship, individuals may request that covered personally identifiable information is made non-personally identifiable; and 4) individuals must also be provided with a clear conspicuous means of opting-in to the transfer of covered information by a covered entity participating in the safe harbor program.


  • Protects information from distribution to third parties. The bill requires that entities contractually protect consumer information when transferring it to a third party. The contract must require that covered entities ensure that third parties are legitimate organizations, and prohibits the transfer of covered information if the third party has proven untrustworthy for violating certain sections of the Act. Third parties are treated as covered entities under this Act, unless the FTC finds compliance unnecessary or reasonably incapable.


  • Enforces a notice of breach security standard. The legislation requires that covered entities notify the FTC, law enforcement agencies, and each individual whose personally identifiable information was accessed or acquired in the event of a data breach. The bill enforces civil penalties in addition to other applicable penalties for noncompliance or repetitive violations.


  • Avoids unduly burdening businesses. The legislation allows the FTC to approve safe harbor programs that provide consumers with at least the same protections as within the legislation. This legislation would also only apply to entities covered by the FTC that collect, use, transfer, or store certain information concerning more than 5,000 people during a 12 month period. While the bill will be enforced by State Attorneys General and the FTC, private suits based on the law would be prohibited.