Skip to main content

U.S. SENATOR PATRICK LEAHY

CONTACT: Office of Senator Leahy, 202-224-4242

VERMONT

Senate Judiciary Panel Passes Leahy-Specter Data Privacy And Security Bill

Bill Would Help Consumers Better Protect Personal Information 

WASHINGTON (Thursday, May 3) – The Senate Judiciary Committee Thursday passed crucial bipartisan legislation introduced by Chairman Patrick Leahy (D-Vt.) and Ranking Member Arlen Specter (R-Pa.) to to better protect the privacy of consumers’ personal information in the face of persistent data security breaches across the country.

The Personal Data Privacy and Security Act of 2007 (S. 495) would help combat the devastating effects of identity theft while providing consumers with much needed protections.  The bill ensures privacy while enhancing criminal penalties and assistance to law enforcement.  It also provides protections against security breaches, fraudulent access and misuse of personally identifiable information.

“This is a bill that deals with the underlying problem of lax security and lack of accountability to help prevent data breaches from occurring in the first place and also addresses the need to provide Americans with better notice of breaches that may affect their personal information,” Leahy said during the panel’s debate on the bill.  “Passing this comprehensive privacy legislation is a legislative priority.”

The bill is cosponsored by Senators Russell Feingold (D-Wisc.), Charles Schumer (D-N.Y.), Sherrod Brown (D-Ohio), Benjamin Cardin (D-Md.), and Bernie Sanders (I-Vt.).

Prior to Committee passage, the bill was amended to include additional bankruptcy protections for victims of identity theft.  That amendment was sponsored by Senator Sheldon Whitehouse (D-R.I.).   The reported bill also contains additional privacy enhancements to safeguard consumers’ privacy, including promoting the use of encryption technology to protect consumers’ sensitive information and ensuring that consumers are promptly notified about data breaches involving their debit cards and other financial account records.

The bill, passed by voice vote, now moves to the full Senate for consideration.

# # # # #

Below is Chairman Leahy’s statement from the meeting followed by a summary of the bill.

Statement of Senator Patrick Leahy
Chairman, Committee on the Judiciary
The Leahy-Specter Personal Data Privacy and Security Act of 2007, S.495
May 3, 2007

I would like to begin today moving straight to debate on S.495, the Leahy-Specter Personal Data Privacy and Security Act.  This comprehensive bipartisan privacy bill is aimed at better protecting Americans’ privacy from the growing threats of data breaches and identity theft.  I hope after years of work and weeks of delay we can consider it and report it out this morning.

When then-Chairman Specter and I first introduced this bill in 2005, we had high hopes of bringing urgently needed data privacy reforms to the American people.  Although the Judiciary Committee favorably reported a substantially similar bill in November 2005, our bill languished on the Senate calendar for more than a year and the Senate adjourned without passing comprehensive data privacy legislation.

While the Congress waited to act on passing data privacy legislation, the problems with data breaches remained a persistent threat to Americans’ privacy.  According to the Privacy Rights Clearing House, more than 100 million records containing sensitive personal information have been involved in data security breaches since 2005.  Earlier this year, mega retailer TJX disclosed that it suffered a major computer breach involving credit and debit card purchases by millions of American consumers.   We have since learned that this data breach is the largest in U.S. history – effecting at least 45.7 million credit and debit cards.

In February, there was a major data breach involving a state computer server in Vermont that jeopardized the financial data of at least 69,000 Vermonters.  And, the United States Department of Agriculture (USDA) admitted recently that it posted the Social Security numbers of 63,000 people who received grants from the USDA on an agency website.  These data security breaches are compelling examples of why we need to pass the Personal Data Privacy and Security Act. 

Our bill requires that data brokers let consumers know what sensitive personal information they have about them, and to allow individuals to correct inaccurate information.  Our bill also requires that companies that have databases with sensitive personal information on Americans, establish and implement data privacy and security programs. 

In addition, our bill requires notice when sensitive personal information has been compromised.  I know this is an interest of Senator Feinstein’s.  She has been a leader on the issue of notice, just as California has been a leader on this issue, generally.  

This bill also provides for tough criminal penalties for anyone who would intentionally and willfully conceal the fact that a data breach has occurred when the breach causes economic damage to consumers. 

Finally, our bill addresses the important issue of the government’s use of personal data by requiring that federal agencies notify affected individuals when government data breaches occur, and placing privacy and security front and center when federal agencies evaluate whether data brokers can be trusted with government contracts that involve sensitive information about the American people.  This month, the GAO released a new report on lessons learned about the government data breaches at the VA and elsewhere, which found that when these data breaches occur, prompt notice to the individuals affected is critical so that individuals can protect themselves from the dangers of identity theft and other misuse of their personal information.

Of course, Senator Specter and I have no monopoly on good ideas to solve the serious problems of identity theft and lax data security.  But, we have tried to put forth some meaningful solutions to this problem in our bill and hope to merit the Committee’s support. 

This is not a perfect bill.  It is not the bill that either of us would have written alone.  We have engaged in much consultation, including with those in the privacy, consumer protection and business communities.  I thank all of them for sharing their views with us.  I also want to thank our cosponsors Senators Feingold and Schumer, who have worked along with us to help forge a consensus. 

I will place into the record support letters from Microsoft, Vontu, the Center for Democracy and Technology, Consumers Union, the Cyber Security Industry Alliance and Consumer Federation of America.  When we can bring consumer interests and business interests together to the extent that we have, we hope we are close to a bill this Committee can support, a bill that can pass, and a bill that can make a difference. 

This is a bill that deals with the underlying problem of lax security and lack of accountability to help prevent data breaches from occurring in the first place and also addresses the need to provide Americans with better notice of breaches that may affect their personal information.  Passing this comprehensive privacy legislation is a legislative priority.  I hope the Committee will join with us to support this privacy legislation and work with us to see it enacted.

We first listed this bill for Committee consideration at a business meeting on April 19th.  That meeting had to be postponed following the tragedy at Virginia Tech and the rescheduling of the oversight hearing with the Attorney General for that date.   We then listed it for consideration at our April 25th meeting, but a Senator asked that it be carried over until today.  I hope that we can complete action without further delay.  I am concerned that almost 50 amendments have been filed to the bill that the Ranking Member and I have worked out—including almost 40 on behalf on one Senator.  I hope we are not facing another filibuster by amendment situation and urge cooperation by all Members on this important matter.

# # # # #

           Summary of the Leahy–Specter Personal Data Privacy and Security Act of 2007

  • Provides new measures to protect the privacy and security of personal data.  Provides Americans with notice when they have been harmed, and also addresses the underlying problem of lax security and lack of accountability in dealing with personal data.
  • Adds unauthorized access to sensitive personally identifiable information to the criminal prohibition against computer fraud under 18 U.S.C. § 1030(a) (2).
  • Requires data brokers to let individuals know what information they have about them, and where appropriate, allow individuals to correct demonstrated inaccuracies.  There are exemptions for products and services already subject to access and correction rules under the Fair Credit Reporting Act, as well as companies subject to Gramm-Leach-Bliley and the Health Information Portability and Accountability Act.  In addition, there are also exemptions for proprietary, fraud prevention tools and marketing data.
  • Requires companies that have databases with personal information on more than 10,000 Americans to establish and implement data privacy and security programs, and vet third-party contractors hired to process data.  There are exemptions for companies already subject to data security requirements under Gramm-Leach-Bliley and the Health Information Portability and Accountability Act.
  • Requires notice to law enforcement, consumers and credit reporting agencies when digitized sensitive personal information has been compromised.  The trigger for notice is tied to significant risk of harm with appropriate checks-and-balances to prevent over-notification as well as underreporting.  There are exemptions for national security and law enforcement needs, credit card companies using fraud-prevention techniques or where a breach does not result in a significant risk of harm. 
  • Addresses the government’s use of personal data by: (1) requiring the General Services Administration to evaluate the privacy and security practices of potential government contractors handling personal data, and include penalties in government contracts for failure to protect data privacy and security; (2) requiring Federal departments and agencies to audit the information security practices of commercial data brokers hired for projects involving personal data and include protections and penalties in contracts with data brokers to protect data privacy and security; and (3) requiring Federal departments and agencies to conduct privacy impact assessments on their use of commercial databases to access personal data on U.S. persons, and to adopt regulations to ensure the security and privacy of data obtained through commercial data brokers.
  • Provides tough monetary penalties for failing to provide privacy and security protections and notices of security breaches, and toughens criminal penalties for those who infiltrate systems to compromise personal data.  Also imposes a criminal penalty in the cases were there is intentional and willful concealment of a security breach known to require notice.

# # # # #

 

 Return to Home Page Senator Leahy's Biography For Vermonters Major Issues Press Releases and Statements Senator Leahy's Office Constituent Services Search this site