For the fourth time in as many Congresses, Leahy introduced the Personal Data Privacy and Security Act, comprehensive legislation that among its provisions would nationalize data breach notification under a single law. The bill would require notice to consumers when their sensitive personal information has been compromised. The data breach notification provisions would apply to federal agencies as well as private organizations.
"This is a comprehensive bill that not only deals with the need to provide Americans with notice when they have been victims of a data breach, but that also deals with the underlying problem of lax security and lack of accountability to help prevent data breaches from occurring in the first place," Leahy says.
The legislation would provide for tough criminal penalties for those who intentionally conceal a data breach when it causes economic damage to consumers. The bill also includes the administration's recent proposal to update the Computer Fraud and Abuse Act, so that attempted computer hacking and conspiracy to commit computer hacking offenses are subject to the same criminal fraud penalties as the underlying offense.
The bill also would oblige agencies to evaluate privacy and data security when contracting with data brokers.
Breach NotificationThe federal breach notification measure, if enacted, would supersede most provisions of state breach notification laws, though a state attorney general could enforce the federal law in federal courts. Leahy's bill does not cover breaches to local and state governments, so states could enforce and enact notification laws covering non-federal government entities.
Under the bill, businesses and federal agencies would be required to notify individuals by telephone or e-mail of a breach. Organizations in which a compromises involved 5,000 or more individuals would also have to post a media notice of the breach
The bill also would require that business and federal agencies notify the Secret Service of a security breach within 14 days if the compromise involves more than 10,000 individuals; a database that contains information about more than 1 million people, a federal government database or individuals known to be government employees or contractors involved in national security or law enforcement. The Secret Service would be responsible for notifying other federal law enforcement agencies, including the FBI, and the relevant state attorneys general within 14 days of receiving notice of a data security breach.
The legislation also would allow the attorney general to bring a civil action to recover penalties for violations of the notification requirements. Violators would be subject to a civil penalty of up to $1,000 a day per individual and a maximum penalty of $1 million a violation, unless the violation is intentional.
The bill also would:
- Require companies that maintain personal data establish and implement internal policies to protect data privacy and security.
- Update the Computer Fraud and Abuse Act to make attempted computer hacking and conspiracy to commit computer hacking punishable under the same criminal penalties as the underlying offense.
- Oblige the government ensure that the privacy and security of sensitive data is protected when the government contracts with third-party contractors.
Leahy introduced similar legislation in 2005, 2007 and 2009, and each time the measures cleared the Senate Judiciary Committee but never came up for a vote in the Senate. "While the Congress has waited to act, the dangers to our privacy, economic prosperity and national security posed by data breaches have not gone away," Leahy says, citing figures from the Privacy Rights Clearinghouse that shows more than 533 million records have been involved in data security breaches since 2005.
Leahy said he drafted the bill after consulting various stakeholders, including privacy and consumer protection advocates and businesses as well as the departments of Justice and Homeland Security, where the Secret Service is situated, and the Federal Trade Commission. "No one has a monopoly on good ideas to solve the serious problems of identity theft and lax cybersecurity," Leahy says. "But, this bill puts forth some meaningful solutions to this vexing problem."
Last month, Leahy introduced the Electronic Communications Privacy Act Amendments Act, an update of the 25-year-old Electronic Communications Privacy Act that would protect the privacy of smartphone users and e-mail communications (see Leahy Introduces Digital Privacy Bill).