Schiff Introduces Bill to Improve Data Security, Protect Consumers from Identity Theft, and Enhance Law Enforcement's Capability to Combat Cyber Threats

Washington, D.C. – Today, Rep. Adam Schiff (D-CA) introduced the Data Breach Notification Act to improve data security, protect consumers from identity theft, and enhance law enforcement’s capability to combat cyber threats.

“The FTC estimates that there are 10 million victims of identity theft every year, at a cost of close to $50 billion annually,” Rep. Schiff said. “The Data Breach Notification Act would attack the problem of identity theft by making sure consumers have the information they need to protect themselves, while also providing a powerful incentive for companies and agencies to enhance their data security.”

Specifically, the legislation would create a requirement for any federal agency or business engaged in interstate commerce to notify individuals whose sensitive personal information is purposefully breached or accidently disclosed to a third party. Sensitive personal information includes full social security numbers, driver’s license numbers, financial information, and other information that could be used for identity theft.

For the past two years, the President’s Identity Theft Task Force has been recommending that Congress enact federal data breach legislation to replace the existing “patchwork of state laws and sector-specific federal laws and regulations that are varied and have uneven application.” (Pages 13 & 14)

As the Director of National Intelligence explained to the Intelligence Committee in February, “a growing array of state and non-state adversaries are increasingly targeting—for exploitation and potentially disruption or destruction—our information infrastructure, including the Internet, telecommunications networks, computer systems, and embedded processors and controllers in critical industries.”

The Data Breach Notification Act, would enhance law enforcement’s ability to combat these threats. The bill would also require entities to notify law enforcement in the event of any breach involving more than 10,000 records, a database of more than 1,000,000 records, a federal government database, or information about law enforcement or national security agents. This would enable law enforcement to determine whether these breaches are isolated incidents or part of larger cyber-threats from organized crime rings, hostile foreign organizations, or even foreign governments. If the breach involves more than 5,000 people in any state, notice must also be provided to major media outlets in that state, as well as credit reporting agencies.

The measure introduced by Rep. Schiff today is a companion to S.139, legislation introduced in the Senate by Sen. Diane Feinstein (D-CA).