Sophisticated cyber attacks are increasingly becoming the greatest threat to the future of electronic commerce here in the United States and around the world, and that's why Congress must take immediate steps to better protect the personal online information of American consumers. It's time for us to declare war on identity theft and online fraud.
The Secure and Fortify Data Act -- which establishes uniform national standards for data security and data breach notification -- is our opening shot.
The SAFE Data Act builds on legislation passed by the House in 2009 but never acted upon in the Senate. Most importantly, it reflects the changing landscape of data breaches and data security since that time.
It's an upgraded, 2.0 version of data security legislation, encompassing many of the lessons learned in the aftermath of massive data breaches at Sony and Epsilon, which put more than 100 million consumer accounts at risk -- and those are just the ones we know about.
As Subcommittee Chairman, protection from identity theft and online fraud is one of my top priorities. Just last week, Citigroup -- which has the world's largest financial services network -- revealed a security breach in which hackers obtained personal information from hundreds of thousands of accounts.
According to law enforcement officials, the hackers were able to gain access to customer names, account numbers and contact information such as e-mail addresses.
Yesterday, we learned that an external website operated by the Oak Ridge Nuclear Weapons Plant was victimized by a cyber attack, and earlier this week -- the same group which claimed responsibility for attacks on Fox, PBS and Sony -- also hacked the Senate's public website.
In recent years, carefully-orchestrated cyber attacks -- intended to obtain personal information about consumers, especially when it comes to their credit cards -- have become one of the fastest growing criminal enterprises here in the United States and across the world.
The Federal Trade Commission estimates that nearly nine million Americans fall victim to identity theft every year, costing consumers and businesses billions of dollars annually. And the problem is only getting worse as these online attacks increase in frequency, sophistication and boldness.
As I have emphasized throughout our previous hearings, E-commerce is a vital and growing part of our economy. We should take steps to embrace and protect it -- and that starts with robust cyber security.
Most importantly, consumers have a right to know when their personal information has been compromised, and companies and organizations have an overriding responsibility to promptly alert them. To that end, the SAFE Data Act:
Requires companies and other entities that hold personal information to establish and maintain appropriate security policies to prevent unauthorized acquisition of that data;
Requires the notification of law enforcement within 48 hours after discovery of a breach, unless that breach was an innocent or inadvertent breach unlikely to result in harm;
And it requires companies and other entities to begin notifying consumers 48 hours after taking steps to prevent further breach and determining who has to be notified.
The SAFE Data Act also gives the Federal Trade Commission authority over non-profits for purposes of this act only. These organizations often posses a tremendous amount of consumer information, and they have been subjected to numerous breaches in the past. At the same time, we want to work with those affected, as well as the FTC, to make sure any new regulations are not burdensome for small businesses -- especially during these difficult economic times.
In addition, we are granting the FTC authority to write rules that take into account the size and nature of the data that is being held online. Clearly, there are obvious differences between information brokers and local retail businesses -- and the rules should reflect those differences.
The proposed legislation also requires all covered businesses to establish a data minimization plan providing for the elimination of consumers' personal data that is no longer necessary for business purposes or for other legal obligations.
And, finally, the SAFE Data Act preempts similar state laws to create uniform national standards for data security and data breach notification. We learned during our recent hearings that consumer notification is often hampered by the fact that companies must first determine their obligations under 47 different state regimes.
At the end of the day, I believe this legislation will greatly benefit consumers, businesses and the U.S. economy. Given the growing importance of e-commerce in nearly everything we do, we can no longer afford to sit back and do nothing. The time for action is now.