Experian's recent data breach, which may have exposed the social security numbers of millions of T-Mobile customers, shows the need for a new data breach bill, a group of lawmakers said on Wednesday.
"Experian and T-Mobile’s recent incident demonstrates the need for legislation that addresses both consumer notification and sets minimum security requirements for companies that collect and store such sensitive consumer data," Sens. Richard Blumenthal (D-Conn.), Bill Nelson (D-Fla.) and Brian Schatz (D-Hawaii), said in a letter to T-Mobile CEO John Legere and Experian CEO Brian Cassin.
The lawmakers' letter comes in response to news that hackers acquired data including the names, addresses, birthdates and social security numbers for 15 million T-Mobile customers. The social security numbers were encoded, but the encryption may have been compromised, according to T-Mobile. "Obviously I am incredibly angry about this data breach and we will institute a thorough review of our relationship with Experian," Legere wrote in a message posted on T-Mobile's site.
Lawmakers currently are considering several versions of data-breach bills. One of the measures, the Consumer Privacy Protection Act, which is backed by Blumenthal, would require companies to notify consumers within 30 days if hackers obtain “sensitive” information -- including photos, geolocation data and medical information.
That bill also would require requires companies to minimize retention of “sensitive personally identifiable information,” including bank account numbers, social security numbers, online usernames and passwords, health-related information and password-protected photos and videos.
That bill, unlike some of the other measures under consideration, doesn't trump tougher state laws.
The Direct Marketing Association has said it supports a national data breach bill, but wants federal lawmakers to also preempt all state legislation.