Welcome to Consumer Reports Advocacy

For 85 years CR has worked for laws and policies that put consumers first. Learn more about CR’s work with policymakers, companies, and consumers to help build a fair and just marketplace at TrustCR.org

Senate Committee to Consider ID Theft Issues at April 13 Hearing

Senator Feinstein introduces bill to require national notice of data security breaches.

Monday, April 11, 2005

Susanna Montezemolo: 202-462-6262
Gail Hillebrand: 415-431-6747, ext 136

Senator Feinstein Introduces Bill to Require National Notice of Data Security Breaches

Senate Judiciary Committee to Consider Identity Theft Issues at April 13 Hearing

WASHINGTON, D.C. – Under new legislation introduced today by Senator Dianne Feinstein, companies that experience a breach in security would be required to notify all affected consumers whose personal information may have been compromised. The legislation follows a string of scandals involving companies whose security was breached, putting hundreds of thousands of consumers at risk of identity theft because information about them had been illegally accessed.

California is the only state that currently requires such notice. Companies have no legal obligation to alert consumers outside of California in the event that a breach in security compromises sensitive information about them. The Senate Judiciary Committee will hold a hearing on identity theft and possible solutions to address this growing form of financial fraud, including the Feinstein bill, at a hearing on Wednesday, April 13.

“All Americans deserve the right to be notified when their personal information may have fallen into the hands of an identity thief as a result of a company’s lax security,” said Susanna Montezemolo, Policy Analyst with Consumers Union’s Washington, D.C. office. “It shouldn’t be left up to a company that has had its security thwarted by crooks to pick and choose which consumers to notify or whether to notify anyone at all.”

The need for a national notice requirement became clear earlier this year when a fraud ring posing as legitimate businesses purchased sensitive records about 145,000 consumers from ChoicePoint, Inc., an information broker based in Georgia. News reports about the ChoicePoint scandal began to surface after the company notified an estimated 35,000 consumers in California that the security of their personal and financial information had been compromised. But the company initially indicated that it had no plans to alert consumers outside of California. ChoicePoint officials eventually told affected consumers nationwide after negative publicity about the incident grew and public officials in other states demanded fuller disclosure.

In addition to requiring companies to tell all affected consumers about a breach in security, the bill provides those individuals with an important safeguard to prevent identity thieves from opening new accounts in their name. The bill entitles all notified consumers to put an extended fraud alert on their credit file, which lasts for seven years and instructs creditors to exercise more care to verify the identity of credit applicants. Current law only entitles consumers to place an initial 90-day fraud alert on their credit file, which must be renewed repeatedly to ensure such protection.

“This bill gives consumers early notice that they may be at risk of identity theft so they can take steps to protect themselves,” said Montezemolo. “Requiring notice of security lapses also creates a significant new incentive for businesses to review and strengthen their security procedures so that they don’t get duped by crooks and have to alert potential identity theft victims.”

Consumers Union is supporting other measures to address identity theft, including federal efforts to impose security standards and fair information practices on information brokers, restrictions on the sale, sharing, use and posting of Social Security numbers by private and government agencies, and state efforts to give consumers the right to put a security freeze on their credit files.