US Attorney General Eric Holder [official website] announced [video; press release] Monday that he is urging Congress to create a "strong national standard" requiring businesses to immediately notify consumers and law enforcement agencies when significant consumer data breaches occur. This announcement comes in the wake of two massive data breaches at major retailers Target and Neiman Marcus late last year. Accusations [NPR report] that the companies reported their breaches with undue delay raised questions about how quickly businesses should be required to notify their customers. Holder, lamenting that this type of crime is "becoming all too common," stated that the Department of Justice is working closely with the US Secret Service and the FBI to investigate cybercrimes and asserted that a national standard requiring quick reporting of such crimes "would empower the American people to protect themselves if they are at risk of identity theft" and "would enable law enforcement to better investigate these crimes." Holder also wants the proposed legislation to address the accountability of businesses who fail to keep their customers' personal and financial information safe while providing exemptions for responsible businesses that may experience "harmless breaches."
Holder's proposed legislation is the latest effort on the federal level to reduce the prevalence of identity theft in the US. Although approximately 46 states [advocacy website] have data breach notification standards, they vary in how much time they require companies to notify customers of such breaches. In a statement [text] before the Senate Judiciary Committee earlier this month, Assistant Attorney General Mythili Raman, pushing for the new federal legislation, reported "cybercrime has increased dramatically over the past decade" resulting in the access and exploitation of the personal information of others. Raman warned of millions of Americans potentially falling victim to identity theft every year. On February 12, President Barack Obama stated [press release] that "cyber threats pose one of the gravest national security dangers that the United States faces." He went on to announce the launch of the "Cybersecurity Framework," a guide for companies to control cyber risk. The Framework is the result of a year-long effort of the National Institute of Standards and Technology [official website] working closely with the private sector to educate organizations and businesses on best practices and standards to "better manage cyber risk" to our country's economy. The Bureau of Justice [official website] defines identity theft "as the unauthorized use or attempted use of existing accounts ... or personal information to open a new account or for other fraudulent purposes" and reports that roughly "seven percent of persons age 16 or older were victims of identity theft in 2012." The majority of these incidents were the result of stolen credit card or bank account information.