Congresswoman Mary Bono Mack (CA-45), Chairman of the House Subcommittee on Commerce, Manufacturing and Trade, today delivered the following opening statement during a markup of her legislation, the Secure and Fortify Electronic Data Act of 2011. The SAFE Data Act, which will help to protect American consumers from identity theft, passed out of Bono Mack's subcommittee on a voice vote and now moves to the full Energy and Commerce Committee for consideration.
Every year -- for millions of Americans -- identity theft has become the bogeyman in the closet. It's a crime that lurks in the shadows and strikes without warning, often leaving its victims trapped in a real-life nightmare where they can spend years trying to recover stolen assets, restore their credit and resume a normal life -- if they're lucky.
According to the Federal Trade Commission, nearly 10 million Americans fall victim to identity theft each year. But a recent report -- using information from the I.D. Theft Center and other sources -- paints an even darker picture of this insidious crime, revealing that 1 in 10 Americans have had their identities stolen at some point in their life.
The toll has been predictable and devastating:
* The cost of identity theft to U.S. businesses is estimated to be more than $50 billion a year.
* Nearly 2 million American households a year have their bank accounts, credit cards or debit cards compromised.
* The average amount stolen from each American consumer amounts to nearly $5,000 and the out-of-pocket cost for victims to resolve identity theft damage ranges from $850 to nearly $1,500.
* Just as troubling, 70 percent of victims have difficulty removing negative information from their credit reports because of identity theft. It takes an average of 330 hours to repair the damage done by identity theft. And about 15 percent of victims don't learn of the identity theft for up to four years.
It's time for Congress to take decisive action. Sophisticated and carefully orchestrated cyber attacks -- designed to obtain personal information about consumers, especially when it comes to their credit cards -- have become one of the fastest growing criminal enterprises here in the United States and across the world. The boldness of these attacks and the threat they present to unsuspecting Americans was underscored recently by massive data breaches at Sony, Epsilon and Citigroup.
This constant assault on American consumers only reinforces my long-held belief that much more needs to be done to protect sensitive personal information. The Secure and Fortify Electronic Data Act, HR 2577, is designed to accomplish this goal by establishing uniform national standards for data security and data breach notification. The SAFE Data Act is crafted around a guiding principle: Consumers should be promptly informed if their personal information has been jeopardized.
With cyber attacks clearly on the rise, something needs to be done immediately. In April of this year alone, some 30 data breaches at hospitals, insurance companies, universities, banks, airlines and governmental agencies impacted nearly 100 million records. And that's in addition to the massive breaches at Sony, Epsilon and Citigroup.
To help combat this growing problem, the SAFE Data Act requires companies and other entities that hold personal information to establish and maintain appropriate security policies to prevent unauthorized acquisition of that data.
It requires the notification of consumers within 48 hours after identifying the specific information that was breached, unless it was an innocent or inadvertent breach unlikely to result in harm.
The SAFE Data Act also gives the Federal Trade Commission authority over non-profits for purposes of this act only. These organizations often possess a tremendous amount of consumer information, and they have fallen prey to numerous breaches in the past.
In addition, my legislation requires all covered businesses to establish a data minimization plan providing for the elimination of consumers' personal data that is no longer necessary for business purposes or for other legal obligations.
And, finally, the SAFE Data Act preempts similar state laws to create uniform national standards for data security and data breach notification. We learned during our recent hearings that consumer notification is often hampered by the fact that companies must first determine their obligations under 47 different state regimes.
Since our draft discussion was first released more than a month ago, we have held countless meetings, reaching out to stakeholders and my colleagues on the other side of the aisle. We have made a good faith effort to address their concerns. Most notably, at the urging of Democrats, we have:
* Agreed to make the concept of "assessing the nature and scope of a breach" so it can't become a pretext for delaying notification;
* Agreed to strike the requirement to "reasonably restore the integrity of the data system";
* Agreed that entities governed by Gramm-Leach-Bliley -- but fall under FTC jurisdiction -- are subject to the requirements of the SAFE Data Act;
* And, importantly, agreed on a backstop of 45 days for breach notification. In past legislation, the drop dead date for notification was 60 days.
With nearly 1.5 billion credit cards now in use in the United States -- and identity theft impacting as many as 1 in 10 Americans -- the SAFE Data Act provides important new safeguards for consumers, and I strongly urge its adoption.