Promising long overdue reform, U.S. Sen. Patrick Leahy introduced legislation today to strengthen personal data protections and to require data-breach notifications to consumers.
The Vermont Democrat and chairman of the Senate Judiciary Committee said the Personal Data Privacy and Security Act of 2007 would make it a crime to intentionally or willfully conceal a security breach. The bill would also increase criminal penalties for identity theft involving electronic personal data.
The bill, co-sponsored by Judiciary Committee ranking member Arlen Specter (R-Pa.), would also require businesses and government agencies to give notice to individuals and law enforcement in cases of breaches involving sensitive personal data.
Under the Leahy-Specter legislation, the trigger for notice is a “significant risk” of identity theft. There are exemptions for national security and law enforcement needs and credit card companies using fraud prevention techniques.
“Today, Americans live in a world where their most sensitive personal information can be accessed and sold to the highest bidder with just a few keystrokes on a computer, yet our privacy laws haven’t kept pace,” Leahy said in his floor remarks.
Targeting what Leahy called the “underlying problem of lax security and lack of accountability,” the bill would require data brokers to establish internal security policies, including giving individuals access to their information and providing the opportunity to correct any errors in the data.
Government agencies would be required to establish privacy and security rules when using information from data brokers and to conduct audits of government contracts with data brokers. The bill would impose penalties on government contractors that fail to meet the privacy and security requirements.
“Our privacy laws greatly lag behind both the capabilities of our technology and the cunning of identity thieves,” Leahy said.
Leahy and Specter introduced similar legislation in 2005 in the aftermath of the ChoicePoint and LexisNexis data breaches. The Judiciary Committee, then under the direction of Specter, approved the bill, but the legislation died in a jurisdictional dispute with the Senate Commerce Committee.
The 109th Congress adjourned without passing any data security legislation.
Since the ChoicePoint data breach, more than 100 million records containing personal data have been subject to some level of identity theft, according to the Privacy Rights Clearing House.
“We are in a field of phenomenal electronic advances,” Specter said in a statement. “We are now seeing breaches in the security of those advances, and it has become a matter of serious consequence for our individual privacy and law enforcement, which rely upon these electronic mechanisms to identify suspects and pursue legitimate law enforcement interests.”
The Leahy-Specter legislation is the second data protection bill introduced in the 110th Congress. In January, Sen. Dianne Feinstein (D-Calif.) proposed the Notification of Risk to Personal Data Act that would require data breach notifications to individuals without “unreasonable delay.” Exemptions in the legislation, however, are broad.
Under the Feinstein bill, businesses would be allowed to make a “risk assessment” of a data breach and only notify consumers if there is “significant” risk of harm. In addition, financial institutions are not required to notify consumers of a breach if the breach does not result in a financial loss, even if the data breached includes a PIN or other personally identifiable information.