12.17.09

Leahy Files Report On Data Privacy And Cybersecurity Legislation

WASHINGTON (Thursday, Dec. 17, 2009)  – Senate Judiciary Committee Chairman Patrick Leahy (D-Vt.) Thursday filed a committee report to accompany data privacy legislation that was advanced to the Senate in November.  The legislation is the first cybersecurity bill to be reported in the Senate this year. The Judiciary Committee approved the legislation at a business meeting held on November 5.   The comprehensive Personal Data Privacy and Security Act will improve cybersecurity and better protect American’s privacy and personal information.  The Committee Report is available online here.

Leahy introduced the bill in July.  The legislation is cosponsored by former Chairman Orrin Hatch (R-Utah).  Leahy and Hatch have partnered on cybercrime legislation in the past.  The bill is also cosponsored by Senators Arlen Specter (D-Pa.), Benjamin Cardin (D-Md.), Dick Durbin (D-Ill.), Russ Feingold (D-Wis.), Chuck Schumer (D-N.Y.) and Sherrod Brown (D-Ohio).

“The Personal Data Privacy and Security Act will establish a much-needed national standard for breach notification, and clear requirements for securing Americans’ sensitive personal data,” said Leahy.  “For several years, the Committee has worked very hard on this bill to address these concerns and to ensure that this bill strikes the right balance to protect privacy, promote commerce and successfully combat identity theft and other cyber crimes.  I urge the Senate not to delay action on this measure.”

The Personal Data Privacy and Security Act will require data brokers and companies to establish and implement data privacy and security programs. The Judiciary Committee approved similar comprehensive data privacy and cybersecurity legislation in the last two Congresses.  Provisions of the Personal Data Privacy and Security Act would:

  • Increase criminal penalties for identity theft involving electronic personal data and make it a crime to intentionally or willfully conceal a security breach involving personal data;
  • Give individuals access to, and the opportunity to access and correct, any personal information held by commercial data brokers;
  • Require entities that maintain personal data to establish internal policies that protect the privacy of Americans;
  • Require entities that maintain personal data to give notice to individuals and law enforcement when they experience a breach involving sensitive personal data that could result in significant harm or fraud ; and
  • Require the government to establish rules protecting privacy and security when it uses information from commercial data brokers to conduct audits of government contracts with data brokers, and impose penalties on government contractors that fail to meet data privacy and security requirements.
  • The legislation is supported by, among others,  the United States Secret Service, the Federal Trade Commission, the Business Software Alliance, the Center for Democracy and Technology, Consumers Union, Facebook, Microsoft, Symantec, and AARP.


Leahy has been a longtime champion of privacy protections, and has testified before congressional Committees on the importance of the data privacy legislation.  Among the first hearings of the Senate Judiciary Committee this Congress, Leahy held an important hearing on privacy concerns associated with electronic health records.  He was able to secure several health privacy provisions in the economic recovery package enacted earlier this year.

# # # # #

Statement Of Senator Patrick Leahy (D-Vt.),
Chairman, Senate Committee On The Judiciary,
On The Reporting Of S. 1490, The Personal Data Privacy And Security Act Of 2009
December 17, 2009

MR. PRESIDENT.  I am pleased that today, the Judiciary Committee is filing its report on S. 1490, the Personal Data Privacy and Security Act of 2009.  This comprehensive cyber security legislation will better protect American consumers and businesses from the constant threat of identity theft and other cyber crimes.   

I introduced this legislation in July.  It is cosponsored by Senators Specter, Hatch, Cardin, Durbin, Feingold, Schumer, and Brown.  The Committee favorably reported this bipartisan bill on November 5, 2009.   I am pleased that, thanks to the hard work of the Judiciary Committee, this legislation is the first cybersecurity bill to be reported in the Senate this year.

The Personal Data Privacy and Security Act will establish a much-needed national standard for breach notification, and clear requirements for securing Americans’ sensitive personal data.  The bill also requires that data brokers let consumers know what sensitive personal information they have about them, and allow consumers to correct inaccurate information.  Lastly, the bill provides for tough criminal penalties for anyone who intentionally and willfully conceals the fact that a data breach has occurred, when the breach causes economic damage to consumers.  

The Federal Bureau of Investigation’s latest annual report on Internet crime found that online crime hit a record high in 2008 – a 33.1 percent increase over the previous year – and that the total dollar loss linked to online fraud last year was $265 million.   This dramatic loss of data privacy is not just a grave concern for American consumers; it is also a serious and growing threat to the economic security of American businesses.  A recent National Small Business Study conducted by the National Cyber Security Alliance found that the majority U.S. small businesses store important customer data on their computer systems, but 86 percent of these companies do not have a full-time employee dedicated to maintaining data security.   

For several years, the Committee has worked very hard on this bill to address these concerns and to ensure that this bill strikes the right balance to protect privacy, promote commerce and successfully combat identity theft and other cyber crimes.  For this reason, the legislation is supported by a broad cross-section of consumer, business, and government organizations, including, the United States Secret Service, the Federal Trade Commission, the Business Software Alliance, the Center for Democracy and Technology, Consumers Union, Facebook, Microsoft, Symantec, and AARP.  

Given the persistent threat of lax data security, we cannot afford to wait any longer to address this pressing issue.  During the last Congress, the Senate Judiciary Committee promptly reported this bill in May 2007; unfortunately, the Senate adjourned without taking any action.  In the intervening months, the problems of identity theft and lax data security have not gone away.  Just recently, we learned firsthand that no one, including Congress, is truly immune from the risks associated with data security breaches.

While I have – and will continue to – consult closely with all interested Senators on this bill, I urge the Senate not to delay action on this measure.  The critical privacy reforms in this bill are by no means all that must be done to improve cybersecurity.  But, they are crucial first steps that Congress should immediately enact.   

The  New York Times editorial board recently recognized the need for quick action on this legislation in a November 25, 2009, editorial entitled “Keeping Personal Data Private,” in which they wrote: “There are many important issues competing for Congress’s attention, but keeping people’s personal information safe should rank high on the list.  Senate leaders should find the time for a vote on the Leahy bill, and the House should pass its own bill without further delay.”  I ask that a copy of that editorial be included in the record following my full statement.

The House of Representatives passed its comprehensive data privacy legislation – the Data Accountability and Trust Act, H.R. 2221, on December 8, 2009.  Now that the House has acted, I hope that the Senate will consider this comprehensive data privacy bill early next year.  

Again, I thank all of the cosponsors of this bill for their work on this bill and for their commitment to protecting the privacy rights of all Americans.  I urge all Members to support this important cybersecurity legislation.

# # # # #

Press Contact

David Carle: 202-224-3693