Bill Would Require Notification Of DataBreaches

WASHINGTON - (10/06/05) -- Credit unions and banks would berequired to notify customers if a data breach may cause identitytheft or transaction fraud under a new bill expected to beintroduced later this week. The issue of notification of databreaches has become a major one because cardholders at hundreds ofcredit unions and banks had to wait for months before they werenotified of the massive theft of consumer information fromCardSystems Solutions earlier this year. A federal court ruled lastmonth that Visa and MasterCard were not responsible for notifyingaffected cardholders because neither Visa or MasterCard had directrelationships with the cardholders, but with the cardholders'issuing credit unions and banks. The bill would also require allusers of confidential consumer information to secure thatinformation and cause businesses that suffered any informationbreaches to pay for notification to consumers and free creditmonitoring, according to Rep. Michael Castle, R-Del., who ishelping to draft the legislation. "The bottom line is, this is amatter of great urgency," Castle told attendees to Visa USA'sSecurity Summit here Wednesday. Castle said he expects a revisedversion of the security bill to be introduced by the end of thisweek, and a hearing to be held over the next few weeks.