November 3, 2009

The Honorable Patrick Leahy
Chair
Senate Judiciary Committee
United States Senate
Washington, DC 20510

Dear Mr. Chairman:

Consumers Union , the non-profit publisher of Consumer Reports, is pleased to support S. 1490, the Personal Data Privacy and Security Act of 2009 to ensure that data of the type involved in the Heartland Payments System breach will require a notice of security breach. This measure is an important step in the ongoing fight to promote data privacy and reduce the incidence of identity theft against U.S. consumers and businesses.

According to a 2007 Federal Trade Commission (FTC) study, 8.3 million U.S. adults become victims of ID theft each year. Based on this number, we estimate that there are more than 22,000 victims per day and 15 victims per minute. Since January 2005, security breaches have been announced involving over 340 million records containing sensitive information about individuals. This bill addresses these stark and unpleasant facts of financial life in a balanced and effective manner.

S. 1490 is an important step to promote data privacy. It requires notice of security breaches, provides a new right for consumers to see and correct information held on them by data brokers, establishes a baseline obligation for business entities to safeguard sensitive personal information, and imposes additional protections when the federal government enters into large contracts with data brokers.

The bill’s basic thrust that business entities and federal agencies should notify individuals of a breach of the security of their personal information could help provide an incentive for companies to keep consumers’ information secure and allow consumers to know when their personal information has been compromised. This will allow consumers to take reasonable steps to prevent becoming victims of identity theft or other harm. For example, individuals who receive a notice of breach letter might monitor their credit closely, check their financial statements frequently, place a federal fraud alert on their credit files, and place a security freeze on their consumer credit files.

We also strongly favor the provisions of the measure that permit state Attorneys General to bring enforcement actions under Title III. Strong enforcement mechanisms promote compliance with the law, and state Attorneys General have been at the forefront of notice of data breach issues, responses and service to victims of identity theft, and state legislative responses to the issue of identity theft.

We do wish to point out our concern about the bill’s notice of security breach provision’s limited exception to the obligation to give notice of a security breach based on a determination of the absence of “significant risk.” Many U.S. consumers are now receiving notice without any risk exemption because large population state laws such as California, New York and Illinois tie the obligation to give notice to the type of information breached, without applying a risk standard. This lets consumers decide for themselves how to respond to a notice of breach after they receive it.

We believe that the strongest federal notice of breach standard would not include any reference to a risk exception. However, we do appreciate that, if an approach which considers risk is to be used, it should be structured similar this bill, so that notice will not be excused on the basis of insufficient information. This measure would be further strengthened by changing “significant” to “reasonable.”

Finally, telephone notice is not advisable and should not take the place of notice by mail or even electronic mail. Much effort has been spent educating consumers not to discuss their bank accounts or credit cards with anyone who calls them, and legitimate phone notice of a breach could open an avenue for scammers to purport to be providing such notices. Thus, we recommend that telephone notice be taken out of the bill. It may also be more difficult to share information about a breach within a family with the adult who manages family finances if the notice goes to a different family member in whose name in which the account is held.

Our organization is pleased to support this bill which will help to ensure that U.S. consumers enjoy more effective data privacy and security. We appreciate your continued leadership on this matter which resolves a significant concern we have had about the measure, and look forward to working with you as this bill moves through the legislative process.

Sincerely,

Gail Hillebrand
Financial Services Manager
Consumers Union
West Coast Office