Sen. Robert Menendez, D-NJ, and Rep. Albio Sires, D-NJ, made a push Friday for the reintroduction of legislation that would protect both consumers and retailers from data breaches in front of a Jersey City Home Depot, the home improvement chain that fell victim to a breach in 2014.
The two, who originally penned legislation in the wake of the Target breach, plan on putting the Commercial Privacy Bill of Rights back into play after a seemingly endless series of attacks has felled one business after another and left sensitive information about consumers exposed and used in fraudulent schemes. In the aftermath of the Target breach, Menendez asked Federal Trade Commission (FTC) Chairwoman Edith Ramirez if the FTC needed greater authority to go after hold retailers for not protecting sensitive consumer data.
In response, Ramirez, whose agency has aggressively pursued companies for falling short on protecting consumers, beseeched Congress to pass data security legislation granting the FTC with civil penalty authority. The commission is also urging Congress to specify a general federal breach notification requirement.
Noting that as Americans rely more heavily on technology safeguards must be “in place to prevent the next cyber-attack” and protect private data, Menendez announced from outside Home Depot, according to a press release.
“We need to give consumers the protections they deserve,” he said. “Further delay only leaves us all more vulnerable to identity thieves, cyber-snoops and cyber-terrorists.”
The Commercial Privacy Bill of Rights would protect individual privacy and data rights by limiting the type of information that could be collected and retention periods and give consumers participation and notice rights by requiring the FTC to issue opt out regulations so that consumers could nix the transfer of data covered in the bill to third parties.
The bill of rights would also require organizations to “contractually protect consumer information when transferring it to a third party, thereby protection it from distribution by third parties. And, it would remove some of the burden from business by calling for “an independent NGO to help companies implement the Act and tasking the Department of Commerce with organizing outside entities towards the creation of safe harbor provisions.”
That would apply only to organizations under FTC authority “that collect, use, transfer, or store certain information concerning more than 5,000 people during a 12 month period.”
The legislators said the State Attorneys General and the FTC will enforce the bill and “private suits based on the law would be prohibited.”
The legislation “comes at a critical time,” Sires said, according to the press release. He called on Congress to “stay ahead of this issue” to protect consumers. “This comprehensive, commonsense legislation will protect consumers' data and privacy, and will pave the way for significant reforms in the cyber security sphere,” he added.
Indeed, the proposed legislation drew support from Beverly Brown Ruggia of the consumer advocacy group New Jersey Citizen Action, who said in a press release that “the complex and hidden mechanisms businesses use to process everyday financial transactions have increasingly compromised consumers' personal information and left them much more vulnerable to cyber hacking and theft.”
