WASHINGTON (5/27/14)--Sen. Robert Menendez (D-N.J.) and Rep. Albio Sires (D-N.J.) have introduced new data security legislation in the wake of eBay's announcement Wednesday that users' personal information may have been compromised. The Menendez-Sires Commercial Privacy Bill of Rights aims to increase consumer protections and, in the event of a data breach, hold corporations accountable.
The proposed bill would do the following:
Since the Target data security breach last holiday season, breaches at Michaels, Neiman Marcus have also followed, with eBay being the most recent high-profile example. (See related story: Compromised non-payment card data on the rise: Trustwave.)
In a response to a letter from Menendez following the Target breach, Federal Trade Commission (FTC) Chair Edith Ramirez urged Congress to enact data security legislation that gives the FTC civil penalty authority and recommended that Congress establish a general federal breach notification requirement.
"When we shop, every consumer assumes that companies will protect their data by any means necessary. Yet in the last year, we have read far too many stories about hackers getting past corporations' security systems," Menendez said.
The legislation would only apply to entities covered by the FTC that collect, use, transfer, or store certain information concerning more than 5,000 people during a 12-month period. While the bill will be enforced by the attorney general, state attorneys general and the FTC, private suits based on the law would be prohibited.
The Credit Union National Association has asked Congress to address data security relative to merchants, who are not held to the same standards of security as credit union and other financial institutions.
Place limits on both the type of information an entity may collect and for how long it may retain that information.
Require the FTC to issue regulations requiring companies to get consumers' opt-in consent for the transfer of their covered information to third parties for behavioral advertising or marketing; access and correct any personally identifiable information the entity has stored; and compel those entities to inform their customers of and allow them to exercise their rights.
Require entities to contractually protect consumer information when transferring it to a third party.
Create a uniform data security notification standard to replace the current notification system and ensure timely notice of a data breach to consumers.
Provide additional protections for children through inclusion of the Do Not Track Kids Act.
Require an independent non-governmental organization to help companies implement the bill and tasking the Department of Commerce with organizing outside entities towards the creation of safe harbor provisions.