Sen. Menendez Announces New Legislation to Protect Consumers in Wake of Retail Data Breaches

Sen. Menendez Announces New Legislation to Protect Consumers in Wake of Retail Data Breaches

Will also take part in Senate hearings next week

MAYWOOD, NJ - U.S. Senator Robert Menendez (D-NJ) today announced that he will introduce the Commercial Privacy Bill of Rights to strengthen protections for consumers' sensitive data, provide them with greater privacy rights and establish reasonable accountability measures for businesses. As a member of the Senate Banking Committee, he will also be participating next week in hearings he had called for on data protection.

"We must make sure that the massive Target data breach is more than a target of concern, but a trigger for action," said Sen. Menendez. "As our economy becomes increasingly dependent on technology, our enforcement cannot remain stuck in the past. Consumers rightfully have come to expect a level of security and privacy, but we as a nation have been struggling to fulfill this expectation."

The Senator added: "We should pass a Privacy Bill of Rights that will give consumers the protections they need, create common-sense accountability measures for businesses so our personal information is not held hostage to the power of our technology, place limits on both the type of information businesses may collect, and limit how long they can retain that information."

Target announced last month that a data breach had occurred between November 27 and December 15, 2013 affecting tens of millions of credit and debit card accounts, compromising customers' names, card information, security codes and PIN numbers to hackers. Since then, they've revised those numbers upward and retailers like Neiman Marcus and Michaels have disclosed similar large-scale breaches affecting their customers.

"Target was just the tip of the privacy and data security iceberg," said Sen. Menendez, as he stood outside a Target at the Bergen Mall. "Issues of privacy, certainly at the retail level and the security of our personal information at every level, are on the minds of everyone."

After the Target breach, Sen. Menendez wrote Federal Trade Commission Chairwoman Edith Ramirez asking if the FTC needs further legislative authority to hold retailers accountable for failures to protect consumers' sensitive data. She responded by urging Congress to enact data security legislation that gives the FTC civil penalty authority as it is superior to the FTC's traditional remedies. The FTC also recommends that Congress establish a general federal breach notification requirement.

Menendez said he would be introducing a Commercial Privacy Bill of Rights which:

  • Protects individual privacy and data rights by placing limits on both the type of information an entity may collect and for how long it may retain that information.
  • Provides Consumers with participation and notice rights. The bill requires the FTC to issue regulations that allow individuals to opt out of the transfer of their covered information to third parties for behavioral advertising or marketing; access and correct any personally identifiable information the entity has stored; and compel those entities inform their customers of and allow them to exercise their rights.
  • Protects information from distribution to third parties by requiring that entities contractually protect consumer information when transferring it to a third party.
  • Avoids unduly burdening businesses by requiring an independent NGO to help companies implement the Act and tasking the Department of Commerce with organizing outside entities towards the creation of safe harbor provisions. This legislation would only apply to entities covered by the FTC that collect, use, transfer, or store certain information concerning more than 5,000 people during a 12 month period. While the bill will be enforced by State Attorneys General and the FTC, private suits based on the law would be prohibited.

On Monday, Menendez will question officials from the Secret Service, the FTC's Bureau of Consumer Protection, as well as retail, banking and security industry leaders about these data breaches during a hearing in the Senate Banking Subcommittee on National Security and International Trade and Finance. He will join a full Senate Banking Committee on Thursday.

"I am hopeful that the hearings will shed light on what additional protections are necessary," Sen. Menendez added. "The hearings will also allow us to further explore legislative options and build upon legislative recommendations that I have received from the Federal Trade Commission."