STATEMENTS ON INTRODUCED BILLS AND JOINT RESOLUTIONS -- (Senate - February 06, 2007)
BREAK IN TRANSCRIPT
Mr. SPECTER. Mr. President, I seek recognition today to discuss the Personal Data Privacy and Security Act of 2007, which I am introducing with Senator LEAHY. Not long ago, personal information--Social Security numbers, birthdates, mothers' maiden names, addresses--all remained relatively private. Some information--for example, whether you had a mortgage on your home--might have been publicly available, but finding that information required a trip to the local courthouse. For the most part, the sheer difficulty of obtaining personal information kept it private. This privacy--what Justice Brandeis called the freedom to be left alone--has been a cherished value throughout American history.
As everyday transactions increasingly occur electronically, personal information can be stored, transmitted and accessed much more easily. Most Americans have benefited from this change. Because personal information is available electronically, Americans enjoy the convenience of purchasing goods over the phone or on the Internet. They can obtain a home mortgage in a matter of hours. They can apply for a credit card while they wait at the store. The availability of such information also helps law enforcement agencies conduct investigations and apprehend criminals.
In electronic form, personal information is both more valuable and more vulnerable. As the multitude of security breaches that have occurred over the past 2 years demonstrate, electronic information is more vulnerable because it can be accessed anonymously from afar and can be stolen in a split second. According to the Privacy Rights Clearing House, since February 2005, over 100 million records containing personal information have been subject to some sort of security breach. The first of these incidents to come to light involved commercial data broker ChoicePoint, which in February 2005 reported that identity thieves had gained access to personal information of 163,000 people. The identity thieves had obtained the information by setting up sham accounts with ChoicePoint. ChoicePoint eventually settled with the FTC for $15 million, including $5 million for consumer redress. However, consumers might never have found out about the breach. The incident only came to light because of a law California had recently adopted requiring ChoicePoint and others to provide notice of security breaches involving personal information to California residents who were affected by the breach. As a result of the California law, Americans for the first time began learning that data brokers and others were routinely collecting and selling their personal information, and in so doing, they were not always keeping the information secure.
After the ChoicePoint incident came a long series of security breaches involving major American companies. In March of 2005, Designer Shoe Warehouse reported that hackers had gained access to personal information, including credit card numbers, on over 100,000 of its customers. Weeks later, Lexis Nexis reported that hackers had gained access to the personal information of over 300,000 individuals. Other blue-chip companies where unauthorized persons have gained access to personal information include Wal-Mart, General Motors, Wachovia Bank, H&R Block, Honeywell, AT&T, Lloyd's of London, ARCO, Visa, MasterCard, Bank of America, FedEx, OfficeMax, Blue Cross Blue Shield and Ralph Lauren. The largest incident came in June 2005, when Card Systems, which processes payments for the country's largest banks and credit card companies, reported that hackers had accessed 40 million records containing personal information. Most recently, TJ Maxx Stores and MoneyGram both had the personal information of their customers stolen from their computer systems. This list only includes security breaches involving wrong-doers who were trying to obtain personal information. The list would be much longer had it included inadvertent disclosure of personal information or incidents involving stolen computers or other equipment that happened to contain personal information.
A large number of colleges and universities have also suffered significant breaches, including the University of Southern California, which in July of 2005 reported that hackers has accessed 270,000 records containing personal data. Other educational institutions that have been hacked include Boston College, Northwestern University, Tufts University, UCLA, Michigan State, Carnegie Mellon, Perdue, Stanford, Duke, the University of Iowa, the University of Colorado, and the University of Utah.
Governments also have not been immune from attempts by identity thieves to obtain personal information. Hackers have accessed personal data at the Department of Defense, Department of Energy, the Air Force and the Department of Agriculture. Hackers obtained over half a million records containing personal data from a State agency in Georgia. The San Diego County Employees Retirement Association, the California Department of Corrections, the Nebraska Treasurers office, the city of Lubbock, TX, and a Women, Infants and Children (WIC) program in Hawaii have all been the victims of similar thefts.
Electronic personal data is more valuable because identity thieves can steal a large volume of data and use it before anyone even knows their personal information has been compromised. For the last 5 years, identity theft has topped the FTC's list of consumer complaints. From 2002 to 2004, the number of complaints rose 52 percent, to 246,570. Put another way, that's one complaint every 2 minutes. But this is only the tip of the iceberg. Not all consumers report identity theft to the FTC. Not all victims report identity theft to their local police. Sixty percent of those who did file a report with the FTC did not call their local police department. It stands to reason that many did not call the FTC.
A recent study by the Better Business Bureau concluded that 8.9 million Americans were victims of identity fraud in 2006, and that each victim lost approximately $6,300. Ultimately, it has been predicted that nearly 20 percent of Americans will become victims of identity theft. Worse, according to the study, it took victims an average of 40 hours on the phone with creditors and credit bureaus to clear their names. I use the term ``clear' loosely, because in many cases the damage caused by identity theft is irreversible. Victims will have fraud alerts on their credit reports for years to come, making it more difficult for them to open new accounts or make major purchases. Some will be erroneously contacted by collection agencies. Many will not even know they have been victimized until they try to get a car loan or a mortgage on a home.
Individuals who have not yet been victims also suffer. Businesses lose nearly $50 billion a year from identity thieves posing as customers. These losses translate into increased prices for every consumer. All Americans are victims of identify theft, even if their own information remains secure.
In some cases, the availability of electronic personal data can lead to tragedy. In 1999, a former high school classmate of Amy Lynn Boyer obtained her former work address and Social Security number from an on-line data broker. Using this information, he called Amy's mother and posed as the former employer, convincing Amy's mom to give him Amy's new work address. He then drove to Amy's workplace and fatally shot her.
In an effort to protect the privacy and security of our personal information, and prevent future tragedies, small and large, last Congress, Senator LEAHY and I introduced the Personal Data Privacy and Security Act. The problem is one of large proportions and many have views on how to go about tackling it. Six committees, three on the House side and three on the Senate side, introduced legislation last Congress addressing data security. At least two other Senate committees became involved in the issue. It is my hope that the differences among committees and members can be bridged this Congress. The problem is simply too large to ignore.
In an effort to start that process, Senator LEAHY and I are again introducing the Personal Data Privacy and Security Act. We are reintroducing the bill in largely the same form that it was approved by the Judiciary Committee last Congress. The bill takes a comprehensive approach to the problem, an approach I believe is necessary. First, the legislation goes after identity thieves by increasing penalties for crimes involving electronic personal information. It also contains criminal penalties for those who intentionally conceal a security breach involving personal data. Those who actively conceal breaches attempt to protect themselves by gambling with the reputations and finances of innocent Americans. They deserve to be punished.
The bill also empowers Americans to look after the privacy of their own information. The bill will allow individuals to gain access to their personal information when it is in the hands of commercial data brokers. For individuals who believe their information is wrong--possibly because the activities of identity thieves--data brokers must provide assistance with correcting their information.
The legislation also places some of the burden of protecting privacy on those that collect personal information. It will require the companies, government agencies, universities and others that deal with personal information to identify and remedy any weaknesses in their computer systems.
Such measures will not always be enough. As I've already noted, the nature of electronic information makes it vulnerable even when reasonable steps are taken to protect it. Currently, over 30 States have adopted legislation requiring companies, agencies, universities and others to give notice when they experience a security breach that involves personal information. However, no Federal law imposes such a requirement. As a result, companies are forced to comply with over 30 different State laws, an expensive and time-consuming endeavor.
The Personal Data Privacy and Security Act requires that both affected individuals and law enforcement receive notice. Knowledge is power. Once individuals learn that their personal information is exposed, they can take steps to protect themselves. And, the company, school or agency that experienced the breach must help. They must provide individuals whose data was lost with credit monitoring. For large breaches, the media must be notified. Media reports over the 2 years have made Americans far more aware of the problem of security breaches. Hopefully, we can raise awareness by continuing the practice of making public announcements. Notice will also give law enforcement a head start in catching those who steal personal information.
Finally, this legislation will protect the privacy of all Americans by providing a check on the government's use of commercial databases. Federal law enforcement agencies use commercial databases to track criminals and criminal activity. Correctly used, these databases can be very useful tools in the fight against crime. However, there should be some check on their use. The bill makes it clear that protections similar to those provided by the Privacy Act are applied to the government's use of commercial databases. The legislation also aims at making sure the government's use of such data is secure.
This bill represents a comprehensive effort to protect the privacy and security of the personal information of all Americans. The lives of most Americans have been made easier because our personal information is readily available to those who have a legitimate need for it. This legislation aims to keep such information out of the hands of those who have no legitimate need for it. I want to take a moment to thank my colleague, Senator LEAHY, who has been tireless in his efforts to promote individual privacy. He has long fought these issues on the Senate floor and has been a leader in securing the privacy rights of all Americans. I urge my colleagues to join us in supporting this important legislation.