New Fed Bill Forces Companies To Alert Customers About Hacked Info

With a similar law taking effect in her home state as of next month, U.S. Sen. Dianne Feinstein (D-California) has introduced legislation to force companies to tell customers when hackers or crackers get access to their most sensitive personal information.

Calling it the Notification of Risk to Personal Data Act, the Feinstein bill would slap companies or groups who don't give such notice a $5,000 fine from the Federal Trade Commission and up to $25,000 in daily fines for each day they don't notify. California's law would make companies tell California customers of hack or crack stealing of sensitive personal information as of July 1.

"I strongly believe," said Feinstein in a formal statement, "individuals have a right to be notified when their most sensitive information is compromised, because it is truly their information. This is both a matter of principle and a practical measure to curb identity theft."

The bill would require companies or groups to e-mail victims or, if they don't happen to have the information, make Internet and print media postings about a hack or crack theft of information.

Where Feinstein's bill differs from the incoming California law, according to published reports, is that her bill would not give individuals the right to sue if their sensitive personal information should be released. But neither does the Feinstein bill specifically protect offending companies from private or class-action litigation, nor does it pre-empt the California law, the reports said.

The bill would require organizations to e-mail or send letters to individuals. If a company does not have that information or if that is too costly, the company would have to inform the media and post notices on its website.