Leahy Introduces Data Privacy Bill

Is Fourth Time the Charm for Personal Data Privacy and Security Act?

By , June 7, 2011.
Leahy Introduces Data Privacy Bill

S

See Also: OPM Breach Aftermath: How Your Agency Can Improve on Breach Prevention Programs

ay this about Patrick Leahy: The Vermont Democrat who chairs the Senate Judiciary Committee is persistent when it comes to data privacy and security legislation.

For the fourth time in as many Congresses, Leahy introduced the Personal Data Privacy and Security Act, comprehensive legislation that among its provisions would nationalize data breach notification under a single law. The bill would require notice to consumers when their sensitive personal information has been compromised. The data breach notification provisions would apply to federal agencies as well as private organizations.

"This is a comprehensive bill that not only deals with the need to provide Americans with notice when they have been victims of a data breach, but that also deals with the underlying problem of lax security and lack of accountability to help prevent data breaches from occurring in the first place," Leahy says.

The legislation would provide for tough criminal penalties for those who intentionally conceal a data breach when it causes economic damage to consumers. The bill also includes the administration's recent proposal to update the Computer Fraud and Abuse Act, so that attempted computer hacking and conspiracy to commit computer hacking offenses are subject to the same criminal fraud penalties as the underlying offense.

The bill also would oblige agencies to evaluate privacy and data security when contracting with data brokers.

Breach Notification

The federal breach notification measure, if enacted, would supersede most provisions of state breach notification laws, though a state attorney general could enforce the federal law in federal courts. Leahy's bill does not cover breaches to local and state governments, so states could enforce and enact notification laws covering non-federal government entities.

Under the bill, businesses and federal agencies would be required to notify individuals by telephone or e-mail of a breach. Organizations in which a compromises involved 5,000 or more individuals would also have to post a media notice of the breach

The bill also would require that business and federal agencies notify the Secret Service of a security breach within 14 days if the compromise involves more than 10,000 individuals; a database that contains information about more than 1 million people, a federal government database or individuals known to be government employees or contractors involved in national security or law enforcement. The Secret Service would be responsible for notifying other federal law enforcement agencies, including the FBI, and the relevant state attorneys general within 14 days of receiving notice of a data security breach.

The legislation also would allow the attorney general to bring a civil action to recover penalties for violations of the notification requirements. Violators would be subject to a civil penalty of up to $1,000 a day per individual and a maximum penalty of $1 million a violation, unless the violation is intentional.

Other Provisions

The bill also would:

  • Require companies that maintain personal data establish and implement internal policies to protect data privacy and security.
  • Update the Computer Fraud and Abuse Act to make attempted computer hacking and conspiracy to commit computer hacking punishable under the same criminal penalties as the underlying offense.
  • Oblige the government ensure that the privacy and security of sensitive data is protected when the government contracts with third-party contractors.

Leahy introduced similar legislation in 2005, 2007 and 2009, and each time the measures cleared the Senate Judiciary Committee but never came up for a vote in the Senate. "While the Congress has waited to act, the dangers to our privacy, economic prosperity and national security posed by data breaches have not gone away," Leahy says, citing figures from the Privacy Rights Clearinghouse that shows more than 533 million records have been involved in data security breaches since 2005.

Follow Eric Chabrow on Twitter: @GovInfoSecurity

  • Print
  • Tweet Like LinkedIn share
Get permission to license our content for reuse in a myriad of ways.
ARTICLE Anthem Breach: Chinese Hackers Involved?

As health insurer Anthem's breach investigation progresses, some news reports are already pointing...

Latest Tweets and Mentions

ARTICLE Anthem Breach: Chinese Hackers Involved?

As health insurer Anthem's breach investigation progresses, some news reports are already pointing...

The ISMG Network