March 29, 2005

U.S. Senator Diane Feinstein
331 Hart Senate Office Building
Washington, DC 20510

Dear Senator Feinstein:

Consumers Union, the non-profit independent publisher of Consumer Reports ®, strongly supports Senator Feinstein’s bill, announced March 29, 2005, to require persons and government agencies who maintain sensitive information about consumers to inform consumers when the security of that information has been compromised. This measure is intended to replace the previously introduced S. 115.

This bill is an important response to rampant identity theft. Identity theft is the fastest growing form of financial fraud in the U.S. and ruins the credit of millions of Americans every year. According to a report by the Federal Trade Commission in 2003, nearly 10 million Americans were victimized by identity theft every year. That means 19 new identity theft victims in the U.S. every minute. Overall, more than 33 million Americans, about one in six adults, have had their identities used by someone else sometime since 1990. The financial costs are high. Identity theft costs consumers and businesses a staggering $51 billion annually.

The first quarter of 2005 has been filled with disturbing revelations about breaches of the security of information about consumers, including disclosures by ChoicePoint, Lexis Nexis, and others. Security breaches place individuals at increased risk of identity theft, yet only one U.S. state presently requires businesses and government entities who discover such incidents to notify the affected individuals. When ChoicePoint first announced in early February that the personal and financial information of approximately 145,000 consumers was accessed by thieves through its databases, it didn’t plan to notify affected consumers in other states. After the Attorneys General from 38 states demanded equal treatment of their constituents, ChoicePoint notified affected consumers nationwide.

It shouldn’t be left up to a company that has had its security breached to decide whether to tell consumers about it, or which consumers to notify. Federal law should require that all consumers be told. Senator Dianne Feinstein’s proposal will accomplish this. The measure sets forth a strong, simple rule requiring notice. It has no special rules or special exceptions for some types of private entities. The bill does not let a business that has allowed a consumer’s information to be seen by a crook decide whether or not to inform the consumer about the security breach.

A strong notice of security breach law gives consumers important information at a time when they can use it to attempt to reduce the damage from identity theft through early discovery. A comprehensive requirement to notify individuals of security breaches may also create a significant incentive for businesses to review and strengthen their security procedures, so that they will not experience a breach and have to disclose that breach to their customers. Finally, this measure aids identity theft victims by giving them access to the extended fraud alert when they have received notice of a security breach. This will relieve those consumers of the need to keep renewing an initial fraud alert every 90 days, which is the only remedy available to them under current law.

There is broad public demand for laws requiring notice of security breaches. At least twenty state legislatures are considering such provisions this year. In addition to this bill, Consumers Union also supports other state and federal measures to address identity theft, including federal efforts to impose security standards and fair information practices on information brokers, restrictions on the sale, sharing, use and posting of social security numbers by private and government entities, and broader consumer privacy protections. Senator Feinstein’s measure to impose a strong notice of security breach requirement is an important part of the package of new laws that are essential to stamping out identity theft stemming from theft of information from businesses or government.

For these reasons, Consumers Union is pleased to strongly support the Notification of Risk to Personal Data Act offered by Senator Feinstein.

Sincerely,

Gail Hillebrand