Menendez, Sires Announce Legislation to Protect Consumers from Mass Data Breaches

U.S. Senator Robert Menendez and Congressman Albio Sires (N.J.-08) today announced that they will reintroduce the Commercial Privacy Bill of Rights to strengthen protections for consumers’ sensitive data, provide them with greater privacy rights and establish reasonable accountability measures for businesses.  This important consumer protection bill was first introduced by Sen. Menendez following the Dec. 2013 Target data breach.

“As Americans become more reliant on technology, we need to ensure that safeguards are in place to prevent the next cyber-attack and secure our private information,” said Sen. Menendez outside the Home Depot in Downtown Jersey City.  “The stakes are too high and the risks too great to do nothing given the new threats we face.  We need to give consumers the protections they deserve.  Further delay only leaves us all more vulnerable to identity thieves, cyber-snoops and cyber-terrorists.”

“This legislation comes at a critical time when data breaches are happening more and more frequently,” said Rep. Sires.  “It is important that Congress stay ahead of this issue in order to protect consumers here in New Jersey and around the country.  This comprehensive, commonsense legislation will protect consumers’ data and privacy, and will pave the way for significant reforms in the cybersecurity sphere.”

The Target data breach affected tens of millions of credit and debit card accounts, compromising customers’ names, card information, security codes and PIN numbers to hackers and identity thieves.  Since then, massive data breaches have been reported at other major American companies including Sony, Home Depot, Neiman Marcus, Staples, Michaels, eBay, J.P. Morgan Chase, Citibank, Yahoo, P.F. Chang’s, Community Health Systems and Anthem.

“The number of cyber attacks and theft of personal data continues to increase, putting millions of American families at risk and threatening consumer confidence,” said Mayor Fulop. “Senator Menendez and Congressman Sires are right to move now by putting in place the necessary measures to ensure private information is protected and that the American public is not left defenseless against hackers and cyber thieves.”

The Commercial Privacy Bill of Rights:

  • Protects individual privacy and data rights by placing limits on both the type of information an entity may collect and for how long it may retain that information.
  • Provides Consumers with participation and notice rights. The bill requires the FTC to issue regulations that allow individuals to opt out of the transfer of their covered information to third parties for behavioral advertising or marketing; access and correct any personally identifiable information the entity has stored; and compel those entities to inform their customers of and allow them to exercise their rights.
  • Protects information from distribution to third parties by requiring that entities contractually protect consumer information when transferring it to a third party.
  • Avoids unduly burdening businesses by requiring an independent NGO to help companies implement the Act and tasking the Department of Commerce with organizing outside entities towards the creation of safe harbor provisions.  This legislation would only apply to entities covered by the FTC that collect, use, transfer, or store certain information concerning more than 5,000 people during a 12 month period. While the bill will be enforced by State Attorneys General and the FTC, private suits based on the law would be prohibited.

Following the Target breach, Sen. Menendez wrote Federal Trade Commission Chairwoman Edith Ramirez asking if the FTC needs further legislative authority to hold retailers accountable for failures to protect consumers’ sensitive data.  She responded by urging Congress to enact data security legislation that gives the FTC civil penalty authority as it is superior to the FTC’s traditional remedies. The FTC also recommends that Congress establish a general federal breach notification requirement.

“The complex and hidden mechanisms businesses use to process everyday financial transactions have increasingly compromised consumers’ personal information and left them much more vulnerable to cyber hacking and theft,” said Beverly Brown Ruggia of the consumer advocacy group New Jersey Citizen Action.  “New Jersey Citizen Action applauds Senator Menendez and Congressman Sires for taking the initiative toward providing protections for sensitive consumer data collection and holding businesses accountable with the transparency and regulations as set forth in the proposed Commercial Privacy Bill of Rights.”

Last week, President Obama convened a cybersecurity summit to discuss concrete ideas about how to protect our critical cyber-information, including a new center to coordinate our effort on cybersecurity and enhanced information sharing which – when effectively implemented – will be another step in the right direction.