Leahy, Sanders Introduce
Personal Data Privacy And Security Act Of 2007, S.495
…Bipartisan Bill Would Help
Vermonters Better Protect Personal Information
WASHINGTON (Tuesday, Feb. 6) --
Senator Patrick Leahy (D-Vt.), Chairman of the Senate Judiciary
Committee, and Senator Bernie Sanders (I-Vt.) Tuesday introduced
comprehensive legislation that would better protect the privacy
of Vermonters’ personal information in the face of data security
breaches in Vermont and across the country.
Leahy introduced a similar bill
last Congress with fellow Judiciary Committee member Arlen
Specter (R-Pa.), following serious data breaches at ChoicePoint
and LexisNexis. Senator Specter, who is the Ranking Member on
the panel, is co-sponsoring the bill again this Congress. Since
then breaches at several other firms and within state and
federal governments have exposed millions of Americans to
identity theft by leaking or losing their personal data, which
included names, addresses, and sometimes Social Security
numbers.
Just last week in Vermont there
was a serious data breach of a computer system used by the
Vermont Agency of Human Services. The breach jeopardized the
financial data of at least 69,000 Vermonters whose personal
financial information was stored on the server. In other recent
cases, Designer Shoes Warehouse and TJ Maxx Stores both had the
personal information of their customers stolen from their
computers.
According to the Privacy Rights
Clearing House, since February 2005, more than 100 million
records containing personal information have been subject to
some sort of security breach.
“Today, Americans live in a world
where their most sensitive personal information can be accessed
and sold to the highest bidder, with just a few keystrokes on a
computer, yet our privacy laws haven’t kept pace,” said Leahy,
who has championed privacy protections in his more than three
decades in the United States Senate. “This comprehensive bill
not only deals with the need to provide Americans with notice
when they have been victims of a data breach, but also deals
with the underlying problem of lax security and lack of
accountability to help prevent data breaches from occurring in
the first place. Reforms like these are long overdue.” He said
the bill also can serve as a model for states in enacting laws
covering state-kept data.
Leahy, who has testified before
congressional Committees on this bill and the need for stronger
privacy protections, has marked privacy issues as a high
priority agenda item for the Judiciary Committee in the 110th
Congress. The Committee’s first hearing this session was on the
use of government databanks and data mining and the need for
stronger congressional oversight of that technology in order to
strike a proper balance between Americans’ privacy and their
security.
“This legislation is a critically
important tool to protect the privacy of Americans’ personal
information. Companies who collect personal information have a
serious responsibility to safeguard it and this bill would make
sure they do that,” said Sanders. “In addition, we need to
treat the theft of personal information as the serious crime
that it is. This bill sends the message loud and clear that
those who engage in identity theft are going to face increased
criminal penalties. I look forward to working with Senator
Leahy – who has been at the forefront of the effort to protect
Americans’ privacy rights -- to advance this important
legislation.”
Key features of the bipartisan
legislation include:
·
Increasing criminal penalties for identity theft involving
electronic personal data and making it a crime to intentionally
or willfully conceal a security breach involving personal
data;
·
Giving individuals access to, and the opportunity to correct,
any personal information held by commercial data brokers;
·
Requiring entities that maintain personal data to establish
internal policies that protect the personal data of Americans;
·
Requiring entities that maintain personal data to give notice to
individuals and law enforcement when they experience a breach
involving sensitive personal data;
and
·
Requiring the government to establish rules protecting privacy
and security when it uses information from commercial data
brokers, to conduct audits of government contracts with data
brokers and impose penalties on government contractors that fail
to meet data privacy and security requirements.
# # # # #
Text of Legislation
(Below is Senator Leahy’s
Statement on Introduction of the Bill)
Statement Of
Senator Patrick Leahy,
Chairman, Committee On The Judiciary,
On The Introduction Of The Leahy-Specter Personal Data Privacy And
Security Act Of 2007
February 6, 2007
Mr. LEAHY. Mr. President, today, I am
pleased to join Senator Specter in reintroducing the Leahy-Specter
Personal Data Privacy and Security Act, a
comprehensive data privacy package aimed at better
protecting Americans’ privacy.
Senator Specter has been a valuable
partner in addressing the growing problem of data breaches and how
to best protect Americans’ sensitive personal data. I appreciate
his willingness to work with me on this important legislation again
this year and I look forward to our close partnership yielding
results in this new Congress.
I also thank Majority Leader Reid for
his leadership and commitment to enacting meaningful data privacy
legislation this year. We have also worked closely with other
members of the Judiciary Committee to address this issue and I look
forward to continuing that effort as we move this legislation
forward.
When Senator Specter and I first
introduced this bill in 2005, we had high hopes of bringing urgently
needed data privacy reforms to the American people. The Judiciary
Committee favorably reported this bill in November 2005. But,
unfortunately, our bill languished on the Senate calendar for more
than a year without any action and the Congress adjourned without
passing comprehensive data privacy legislation last year.
While the Congress waited to act on
passing data privacy legislation, the problems with data breaches
remained a persistent and pernicious threat to Americans’ privacy.
Yesterday, we learned that the Department of Veterans Affairs has
lost a portable hard drive containing the sensitive personal
information on as many as 48,000 veterans.
Just last week, there was a major data
breach involving a state computer server in my home state of
Vermont, which jeopardized the financial data of at least 69,000
Vermonters whose personal financial information had been stored on a
computer server used by the Vermont Agency of Human Services. Of
course, this situation is not unique to Vermont. There have also
been similar kinds of data breaches across the country.
Last month, mega retailer TJX
disclosed that it suffered a major computer breach involving credit
and debit card purchases involving possibly hundreds of thousands of
American consumers. Even more disturbing are reports that, although
TJX knew about this breach in mid-December, the company did not tell
its customers about the breach until a month after it occurred.
And of course, all of these
unfortunate data breaches come on the heels of the theft of the
personal data of 26.5 million of our veterans and active duty
personnel at the Veterans Administration that occurred last year.
According to the Privacy Rights Clearing House, more than 100
million records containing sensitive personal information have been
involved in data security breaches since 2005.
These data security breaches are
compelling examples of why we need strong federal data privacy and
security laws to protect Americans’ personal data and to address the
ills of lax data security. Our bill provides this much-needed
tonic.
Our bill requires that data brokers
let consumers know what sensitive personal information they have
about them, and to allow individuals to correct inaccurate
information. This is a simple matter of fairness, with clear
precedent in the credit report context.
Our bill also requires that companies
that have databases with sensitive personal information on Americans
establish and implement data privacy and security programs. In the
Information Age, any company that wants to be trusted by the public
must earn that trust by vigilantly protecting the databases they use
and maintain.
In addition, the bill requires notice
when sensitive personal information has been compromised. The
American people have a right to know when they are at risk because
of corporate failures to protect their data, or when a criminal has
infiltrated data systems. This bill also provides for tough
criminal penalties for anyone who would intentionally and willfully
conceal the fact that a data breach has occurred when the breach
causes economic damage to consumers.
Finally, our bill addresses the
important issue of the government’s use of personal data. This bill
would require federal agencies to notify affected individuals when
government data breaches occur. Because we are living in a world in
which our government increasingly is turning to the private sector
to get personal data the government could not legally collect on its
own, our bill also places privacy and security front and center in
evaluating whether data brokers can be trusted with government
contracts that involve sensitive information about the American
people.
This is a comprehensive bill that not
only deals with the need to provide Americans with notice when they
have been victims of a data breach, but that also deals with the
underlying problem of lax security and lack of accountability to
help prevent data breaches from occurring in the first place.
Reforms like these are long overdue. And, as we start a new
Congress, these reforms should be at the top of our domestic
agenda. Data security and privacy issues will be a high priority on
the Judiciary Committee’s agenda in this new Congress.
Today, Americans live in a world where
their most sensitive personal information can be accessed and sold
to the highest bidder, with just a few keystrokes on a computer.
Our privacy laws greatly lag behind both the capabilities of our
technology and the cunning of identity thieves. This legislation
takes an important and meaningful step to help close this gap. For
the sake of all Americans, I urge all Senators to support this
legislation and to act now to pass comprehensive data privacy and
security legislation. I ask unanimous consent that a copy of the
bill be printed in the Record.
# # # # #
Summary Of The
Leahy–Specter Personal Data Privacy And Security Act Of 2007
-
Provides new measures to protect
the privacy and security of personal data. Provides Americans
with notice when they have been harmed, and also addresses the
underlying problem of lax security and lack of accountability in
dealing with personal data.
-
Adds unauthorized access to
sensitive personally identifiable information to the criminal
prohibition against computer fraud under 18 U.S.C. § 1030(a)
(2).
-
Requires data brokers to let
individuals know what information they have about them, and
where appropriate, allow individuals to correct demonstrated
inaccuracies. There are exemptions for products and services
already subject to access and correction rules under the Fair
Credit Reporting Act, as well as companies subject to Gramm-Leach-Bliley
and the Health Information Portability and Accountability Act.
In addition, there are also exemptions for proprietary, fraud
prevention tools and marketing data.
-
Requires companies that have
databases with personal information on more than 10,000
Americans to establish and implement data privacy and security
programs, and vet third-party contractors hired to process
data. There are exemptions for companies already subject to
data security requirements under Gramm-Leach-Bliley and the
Health Information Portability and Accountability Act.
-
Requires notice to law
enforcement, consumers and credit reporting agencies when
digitized sensitive personal information has been compromised.
The trigger for notice is tied to significant risk of harm with
appropriate checks-and-balances to prevent over-notification as
well as underreporting. There are exemptions for national
security and law enforcement needs, credit card companies using
fraud-prevention techniques or where a breach does not result in
a significant risk of harm.
-
Addresses the government’s use of
personal data by: (1) requiring the General Services
Administration to evaluate the privacy and security practices of
potential government contractors handling personal data, and
include penalties in government contracts for failure to protect
data privacy and security; (2) requiring Federal departments and
agencies to audit the information security practices of
commercial data brokers hired for projects involving personal
data and include protections and penalties in contracts with
data brokers to protect data privacy and security; and (3)
requiring Federal departments and agencies to conduct privacy
impact assessments on their use of commercial databases to
access personal data on U.S. persons, and to adopt regulations
to ensure the security and privacy of data obtained through
commercial data brokers.
-
Provides tough monetary penalties
for failing to provide privacy and security protections and
notices of security breaches, and toughens criminal penalties
for those who infiltrate systems to compromise personal data.
Also imposes a criminal penalty in the cases were there is
intentional and willful concealment of a security breach known
to require notice.
# # # # #
