WASHINGTON (4/16/15)--Sens. Tom Carper (D-Del.) and Roy Blunt (R-Mo.) introduced a bill Wednesday that would set standards for entities that handle consumers' personal financial information, while outlining procedures that must be followed in the event of a data breach.

The Data Security Act of 2015 has the strong support of CUNA.

"This much needed legislation will protect the sensitive financial information of American people by establishing a national standard for data security, protection and consumer notification," said Jim Nussle, president/CEO of CUNA. "My thanks to Senators Carper and Blunt for their bold leadership on the important issue of data breaches. This commonsense legislation ensures that those who accept cards as payment are held to the same standard as those who issue cards for payment. I strongly urge the Senate to move forward with this bill for the safety and security of all consumers."

CUNA, along with other financial trade organizations, will send a letter of support for the legislation Thursday.

"This comprehensive approach would better serve consumers by making it easier for businesses and government agencies to take the steps necessary to adequately protect all Americans from identity theft and account fraud," the letter reads.

Specifically, the bill requires covered entities to "develop, implement and maintain a comprehensive information security program that contains administrative, technical and physical safeguards" that would ensure the security of personal and account information while protecting against threats and attempted acquisition of such information.

Covered entities that suspect a breach would be required to assess the nature and scope of the incident, and notify "without unreasonable delay" an appropriate federal law enforcement agency and each consumer reporting agency, if the breach involves information of more than 5,000 consumers.
 
In addition, all consumers to whom the information is related must be notified by mail, telephone or email. The notice must include a description of the breached information, a general description of action taken by the breached entity and a summary of victims' rights.
 
The bill also recognizes the standards financial institutions are subject to under the Gramm-Leach-Bliley Act and extends those requirements to other entities that handle sensitive information.