11.05.09

Judiciary Committee Advances Leahy’s Cybersecurity Bill

WASHINGTON -- The Senate Judiciary Committee Thursday approved bipartisan legislation authored by Chairman Patrick Leahy (D-Vt.) and cosponsored by former Chairman Orrin Hatch (R-Utah) that will improve cybersecurity and better protect Americans’ privacy and personal information. 

Among other provisions, the comprehensive Personal Data Privacy and Security Act will require data brokers and companies to establish and implement data privacy and security programs. The Judiciary Committee has approved similar comprehensive data privacy and cybersecurity legislation in the last two Congresses.  Leahy and Hatch have partnered on cybercrime legislation in the past.  The bill is also cosponsored by Senators Arlen Specter (D-Pa.), Benjamin Cardin (D-Md.), Russ Feingold (D-Wis.), Chuck Schumer (D-N.Y.) and Sherrod Brown (D-Ohio).

“The loss of data privacy is not just a grave concern for American consumers; it is also a serious and growing threat to the economic security of American businesses, and is a growing threat to our national security,” said Leahy.  “The Personal Data Privacy and Security Act takes meaningful steps to help address many of these concerns.  I appreciate Senator Hatch working with me to further improve this bill.  The time for Congress to enact comprehensive data privacy legislation has come.  I hope that the Senate will consider this legislation promptly.”

“It seems on a daily basis, we hear reports of cyber thieves who compromise private information of U.S. citizens and cause irreparable damage to reputations,” said Hatch.  “That is why passing consensus federal data breach legislation is a step in the right direction to not only protect the unprotected, but to simplify the confusion caused by differing state laws.  I am pleased to be working with Chairman Leahy on this important legislation which should help prevent future destructive data breaches.”

The Personal Data Privacy and Security Act would:

  • Increase criminal penalties for identity theft involving electronic personal data and make it a crime to intentionally or willfully conceal a security breach involving personal data;
  • Give individuals access to, and the opportunity to correct, any personal information held by commercial data brokers;
  • Require entities that maintain personal data to establish internal policies that protect the personal data of Americans;
  • Require entities that maintain personal data to give notice to individuals and law enforcement when they experience a breach involving sensitive personal data; and
  • Require the government to establish rules protecting privacy and security when it uses information from commercial data brokers, to conduct audits of government contracts with data brokers and impose penalties on government contractors that fail to meet data privacy and security requirements.

An amendment adopted during the Committee’s consideration of the legislation makes several key changes to the bill such as the inclusion of anti-fraud provisions and improvements to data breach notification requirements.

The legislation is supported by the United States Secret Service, the Federal Trade Commission, the Business Software Alliance, the Center for Democracy and Technology, Consumers Union, Facebook, Microsoft, Symantec, and AARP. 

Leahy has been a longtime champion of privacy protections, and has testified before congressional Committees on the importance of the data privacy legislation.  Among the first hearings of the Senate Judiciary Committee this Congress, Leahy held an important hearing on privacy concerns associated with electronic health records.  He was able to secure several health privacy provisions in the economic recovery package enacted earlier this year.

# # # # #

Statement Of Senator Patrick Leahy (D-Vt.),
Chairman, Committee On The Judiciary,
On The Personal Data Privacy and Security Act of 2009
November 5, 2009

Today, the Committee will consider the Personal Data Privacy and Security Act, an important bill that will better protect Americans from the growing threats of data breaches and identity theft.  This long overdue privacy bill will establish a national standard for breach notification and requirements for securing Americans’ sensitive personal data.  The bill -- as improved by my manager’s amendment -- strikes the right balance to protect privacy, promote commerce and successfully combat identity theft.  This Committee has twice favorably reported this bill with strong bipartisan support, and I urge all Members of the Committee to favorably report this bill again this year.

Since we first introduced this bill in 2005, Senator Specter and I have consulted closely with Members on both sides, including Senators Feinstein, Hatch, Feingold, Schumer and Cardin, to improve this bill, so that it provides meaningful privacy protections to American consumers and businesses.   I want to particularly thank Senator Hatch for working closely with me to further improve this bill.  Senator Hatch and I have worked together in the past on cybercrime legislation and I look forward to continuing that important partnership with this bill.  We have also consulted with Federal law enforcement, including the United States Secret Service, the Federal Trade Commission and the Department of Justice, to ensure that privacy protections in the bill will be properly enforced.  We will continue to work with the Obama administration to ensure that the bill is properly enforced.

Just this week, Congress learned firsthand that no one is truly immune from the risks associated with data security breaches.  Of course, this comes as no surprise to most Americans, who are reminded almost daily about new data security breaches and the dangers posed by identity theft in these economically challenging times.   

The FBI’s latest annual report on Internet crime found that online crime hit a record high in 2008  -- a 33.1 percent increase over the previous year – and that the total dollar loss linked to online fraud last year was $265 million.   This loss of data privacy is not just a grave concern for American consumers; it is also a serious and growing threat to the economic security of American businesses.  A recent National Small Business Study conducted by the National Cyber Security Alliance found that the majority U.S. small businesses store important customer data on their computer systems, but 86 percent of these companies do not have a full-time employee dedicated to maintaining data security. 

The absence of strong data security policies is also a growing threat to our national security.  Last weekend, The Washington Post reported that documents related to the Marine One presidential helicopter and the Air Force’s F-35 fighter jets have been improperly accessed by computer hackers in foreign countries in recent years.  I thank and commend Senator Cardin, the distinguished Chair of the Subcommittee on Terrorism and Homeland Security, for holding an important hearing on the pressing issue of developing a national cybersecurity strategy later this month.  

The Personal Data Privacy and Security Act takes meaningful steps to help address many of these concerns.  The bill requires that data brokers let consumers know what sensitive personal information they have about them, and allow consumers to correct inaccurate information.  The bill also requires that companies that have databases with sensitive personal information on Americans establish and implement meaningful data privacy and security programs. 

In addition, the bill requires notice to consumers when sensitive personal information has been compromised and specifically requires that Federal agencies notify affected individuals when Government data breaches occur.  The bill, as amended, includes an exemption for anti-fraud databases to help the Government detect and combat fraud.  Lastly, the bill provides for tough criminal penalties for anyone who would intentionally and willfully conceal the fact that a data breach has occurred when the breach causes economic damage to consumers. 

I thank the many private sector and government organizations that support this bill, including AARP, the Business Software Alliance, the Center for Democracy and Technology, Consumers Union, Facebook, Microsoft, Symantec, the United States Secret Service and the Federal Trade Commission.  I will place several support letters that I have received in the record. 

The time for Congress to enact comprehensive data privacy legislation has come.  I hope that, once again, this Committee will lead the way by favorably reporting this important privacy bill.

# # # # #

Press Contact

David Carle: 202-224-3693