Democrats in the U.S. Senate introduced Wednesday a proposed Consumer Privacy Protection Act that among other aims would penalize companies if they do not notify consumers promptly of breaches in their payment card systems and other databases storing sensitive information.
U.S. Sen. Richard Blumenthal (D-Conn.) is among the bill’s backers, with Blumenthal having rebuked Equifax executives last week during a Capitol Hill hearing on the Atlanta-based company’s response to a breach earlier this year affecting as many as 145 million people. On Tuesday, the apparel retailer Forever 21 became the latest to disclose a breach, furnishing notice despite having scant details to share in the early stages of its investigation of the hack.
The Senate bill would require companies to notify consumers as soon as they learn a data breach may have occurred, rather than delaying notice pending the results of an investigation or for any other reason. Companies would have to meet baseline privacy and security standards in the storage of Social Security numbers, bank and payment card data, online passwords and other information.
Besides Blumenthal, sponsors include U.S. senators Patrick Leahy (D-Vt.), Ed Markey (D-Mass.), Ron Wyden (D-Ore.), Al Franken (D-Minn.) and Tammy Baldwin (D-Wisc.).
“Under current law even the most egregious examples of lax security can be met only with apologies and promises to do better next time – no fines, penalties or real deterrents to create incentives to actually do better,” Blumenthal stated Thursday in an announcement of the new legislation. “This bill begins to provide that real deterrent by holding companies accountable for the sensitive data they collect, and requiring — not merely requesting or suggesting — that they take baseline steps to safeguard consumer privacy.”
In a June Ponemon Institute study sponsored by IBM, researchers determined that the average cost to corporations last year totaled $3.6 million responding to computer breaches — or put in human terms, $225 for the digital record of each U.S. resident falling into the hands of system intruders.
The bill comes on the heels of a bill seeking similar goals Blumenthal introduced in September and multiple more in the U.S. House of Representatives filed since October. On Nov. 1, the Energy and Commerce Committee’s subcommittee on Digital Commerce and Consumer Protection held a hearing on the issue, with a Harvard University computer security expert giving his take on the mistakes made by Equifax.
“Equifax … waited nearly six weeks before informing victims that their personal information had been stolen and they were at increased risk of identity theft,” said Bruce Schneier, a lecturer at Harvard University, testifying at the hearing. “Equifax opened a website to help aid customers, but the poor security around that — the site was at a domain separate from the Equifax domain — invited fraudulent imitators and even more damage to victims.
“Equifax is more than a credit reporting agency — it’s a data broker,” Schneier added. “It collects information about all of us, analyzes it all, and then sells those insights. It might be one of the biggest, but there are 2,500 to 4,000 other data brokers that are collecting, storing, and selling information about us — almost all of them companies you’ve never heard of and have no business relationship with.”
This article originally appeared on CTPost.com.