STATEMENTS ON INTRODUCED BILLS AND JOINT RESOLUTIONS -- (Senate - June 29, 2005)
BREAK IN TRANSCRIPT
By Mr. SPECTER (for himself and Mr. LEAHY):
S. 1332. A bill to prevent and mitigate identity theft; to ensure privacy; and to enhance criminal penalties, law enforcement assistance, and other protections against security breaches, fraudulent access, and misuse of personally identifiable information; read the first time.
Mr. SPECTER. Mr. President, I rise today to introduce S. 1332, the Personal Data Privacy and Security Act of 2005.
Not too long ago, our personal information--our Social Security numbers, our date of birth, our mothers' maiden name, where we live-all remained relatively private. Where we live, and what we paid for our house, and whether we had a mortgage might have been publicly available, but finding that information out would require a trip to the local recorders office. Our privacy was preserved by the sheer difficulty of obtaining the information. This privacy--the ability to be left alone--has been a cherished value throughout American history.
As our day-to-day transactions have become electronic, more and more of our personal data has been stored, transmitted and accessed electronically. Almost all of us have benefited from this change. Because our personal information is available electronically, we can purchase goods and services over the phone or on the internet. We can obtain a mortgage or rent an apartment in a matter of hours. We can apply for a credit card while we wait at the store and purchase things on-line. The availability of such information also helps law enforcement agencies conduct investigations and catch criminals. The information has also been used to do good. In one instance, Associated Press journalists matched Social Security numbers obtained from data brokers to Mississippi prison data exposing eight school teachers who failed to report that they had been convicted of sex offenses or drug crimes.
However, as Justice Warren prophetically wrote in the 1963 case, Lopez v. United States--a case balancing the privacy interests of an individual with the law enforcement needs of the government--``The fantastic advances in the field of electronic communication constitute a great danger to the privacy of the individual.'' In electronic form, our personal information is both more valuable and more vulnerable. As we have all witnessed in recent months, electronic data is more vulnerable because it can be accessed from afar and can be stolen in a split second. The problem first became apparent when data brokers, companies that buy and sell our personal data, announced that they had experienced large-scale breaches involving the personal data of hundreds of thousands of Americans. In February, ChoicePoint, one of the Nation's largest collectors of consumer information, notified over 145,000 Americans of a system security breach. In March, LexisNexis announced that unauthorized persons posing as legitimate customers obtained personal the personal data of over 300,000 Americans.
It soon became apparent that the problem extended beyond data brokers. In April, Carnegie Mellon University notified 19,000 students, alumni, faculty and staff that their personal data may have been compromised. In May, a data storage company lost information on 600,000 current and former employees of Time Warner. In recent days, MasterCard announced 40 million credit card numbers belonging to U.S. consumers were accessed by a computer hacker--the largest breach yet.
Even government agencies have not been immune. Personal data including Social Security numbers on nearly 6,000 current and former Federal Deposit Insurance Corporation employees was stolen early last year, some of which has been used for fraudulent purposes.
Electronic personal data is more valuable because identity thieves can steal large volumes and use it before anyone knows. For the last 5 years, Identity Theft has topped the FTC's list of consumer complaints. From 2002 to 2004, the number of complaints rose 52 percent, to 246,570. Put another way, that's once every 2 minutes. But this is only the tip of the iceberg. Not all consumers report identity theft to the FTC. Not all victims report identity theft to their local police. Sixty percent of those who did file a report with the FTC did not call their local police department. It stands to reason that many did not call the FTC.
A recent study by the Better Business Bureau concluded that 9.3 million Americans were victims of identity fraud in 2004, and that each victim lost approximately $5,800. Ultimately, nearly 20 percent Americans will become victims of identity theft. Worse, according to the study, it took victims an average of 28 hours on the phone with creditors and credit bureaus to clear their names. I use the term ``clear'' loosely, because in many cases the damage caused by identity theft is irreversible. Victims will have fraud alerts on their credit reports for years to come, making it more difficult to open new accounts or make major purchases. Some will be erroneously contacted by collection agencies.
Individuals whose personal information is not stolen also suffer. Businesses lose nearly $50 billion a year from identity thieves posing as customers. These losses translate into increased prices for every consumer.
In some cases, the availability of electronic personal data can lead to tragedy. In 1999, a former high school classmate of Amy Lynn Boyer obtained her former work address and social security number from an on-line data broker. By calling her home and posing as the former employer, he convinced Amy's mom to give him Amy's work address. He then drove to Boyer's workplace and fatally shot her.
In an effort to protect the privacy and security of our electronic personal information, and prevent future tragedies, small and large, my colleague Senator LEAHY and I are introducing the Personal Data Privacy and Security Act of 2005. First, this legislation goes after identity thieves by increasing penalties for crimes involving electronic personal data. For example, it increases penalties for computer fraud when such fraud involves personal data. It also goes after those who intentionally expose Americans to identity theft by punishing those who intentionally conceal a security breach that involves personal data.
The bill also empowers Americans to look after the privacy of their own data. The bill will allow individuals to obtain access to any personal information held by data brokers. For individuals who believe their information is wrong, data brokers must provide them with guidance on how to correct their information.
The legislation also puts the burden those that store, transmit and access electronic personal data. It will require the companies, government agencies, universities that keep significant amounts of personal data to assess the vulnerability of their systems and to adopt policies that will address those vulnerabilities. Some entities will choose to encrypt the personal data that they store and transmit. Others will pick a means more appropriate their size and the sensitivity of their data.
Of course, these provisions do not apply to data held by health care providers and financial institutions that is already regulated by other federal laws. This legislation fills in gaps left by other federal laws. It has become clear that many entities other than health care providers and financial institutions have large amounts of personal information. This legislation would require such entities to adequately protect their electronic data.
Such measures will not always be enough. As I've already noted, the nature of electronic data makes it vulnerable even when those who hold it take reasonable steps to protect it. Currently, no federal law requires those who maintain our sensitive personal data to notify affected individuals when such data is lost or exposed. This legislation would require those who maintained such data to notify affected individuals as well as law enforcement. As everyone knows, knowledge is power. Once individuals learn that their personal information is exposed, they can take steps to protect themselves. And, the company, school or agency that experienced the breach must help. They must provide individuals whose data was lost with a monthly credit report and they must provide information on the identity theft victim assistance available to them. For large breaches, the media must be notified. Media reports over the past few months have made Americans far more aware of the problem of security breaches. Hopefully, we can continue to raise awareness by requiring data holders to continue the practice of making public announcements regarding large breaches. Notice will also give law enforcement a head start in the effort to prevent harm to individuals as a result of a breach.
One of the most critical pieces of information that can be lost is one's Social Security number. We can all think of instances when we've been asked for our Social Security number to verify our identities--utilities, doctors, schools--I could go on. In itself, this is not harmful. Problems arise however, when the Social Security number gets passed along to others without the person's knowledge or permission. The legislation would prohibit companies from buying, selling or displaying a Social Security number without consent from the individual whose number it is. The bill also would prevent companies from requiring individuals to give their Social Security number in order to obtain goods or services. Finally, it would bar government agencies from posting public records that contain Social Security numbers on the internet. This legislation would not prevent the use of Social Security numbers altogether. We recognize that would not be practical. It would, however, protect the value of Social Security numbers by preventing their proliferation.
Finally, this legislation will protect the privacy of all Americans by providing a check on the government's use of databases maintained by data brokers. As I've already noted, federal law enforcement uses electronic personal data maintained by data brokers to track criminals and criminal activity. Correctly used, these databases can be very useful tools in the fight against crime. However, there should be some check on their use. In addition, the legislation aims at making sure the government's use of such data is secure. It will require audits to ensure that data brokers are keeping law enforcement inquiries private.
This bill represents a comprehensive effort to protect the privacy and security of electronic personal data. Our lives have all been made easier because our personal information is readily available to those who have a legitimate need for it. This legislation aims to keep such information out of the hands of those who have no legitimate need for it. I urge my colleagues to join me in supporting this important legislation. I ask unanimous consent that the text of the bill be printed in the RECORD.
There being no objection, the bill was ordered to be printed in the RECORD, as follows:
BREAK IN TRANSCRIPT