Businesses would have to protect credit-card accounts and other sensitive consumer information and notify them when they have been exposed to identity theft, under a bill approved Thursday by a Senate committee.
The lucrative trade in consumers' Social Security numbers would also be curtailed under a bill approved unanimously by the Senate Commerce Committee.
The vote marks the first time Congress has taken steps to improve data security following a string of breaches that have exposed some 50 million consumers to possible identity theft.
"It's important we get this moved because none of us are going to have any privacy left if we don't," said Florida Democratic Sen. Bill Nelson..
Dozens of retailers, universities, banks, data brokers and other institutions have disclosed breaches this year, ranging from attacks by malicious hackers to losses of backup tapes during transit to storage facilities.
The announcements were prompted by a California state law that requires institutions to make such data breaches public. Seventeen states have since passed similar laws, prompting banks and other businesses to ask Congress to set a single national standard.
Under the Commerce Committee's bill, businesses and other institutions would have to notify consumers within 45 days if they are exposed to identity theft from any security breach. They would also have to notify the Federal Trade Commission, and the FTC would publicize those that affect more than 1,000 consumers.
Consumers could also prevent credit bureaus from giving out their credit reports to deter identity thieves from getting more information.
Businesses and other institutions would not be allowed to sell consumers' Social Security numbers without permission. They also would not be allowed to collect Social Security numbers from consumers, or display them publicly.
Social Security numbers, used to track government retirement benefits, are now commonly used as a numerical identifier on everything from bank accounts to drivers' licenses, a practice that experts say makes identity theft easier.
Other committees are considering data-security bills as well.
In the Senate, leaders of the Judiciary Committee have a bill that would establish jail time for business leaders who don't tell consumers when they may be at risk of identity theft. The committee likely won't act on that bill until after the month-long break that begins on Friday.
Committee Chairman Ted Stevens, an Alaska Republican, said the committee would also have to harmonize its bill with one being developed by the Senate Banking Committee.
In the House, the Financial Services Committee and the Energy and Commerce Committee are developing data-security bills.
