06.07.11

Leahy Renews Push For Data Privacy Legislation

Personal Data Privacy And Security Act Builds On Efforts In Previous Congresses

WASHINGTON (Tuesday, June 7, 2011) – Senator Patrick Leahy (D-Vt.) Tuesday introduced comprehensive legislation to enhance protections for Americans’ personal information and privacy.  Leahy first sponsored the Personal Data Privacy and Security Act in 2005, and has reintroduced the legislation in each of the last three Congresses.  He is a longtime leader in the protection of Americans’ data privacy.

The Personal Data Privacy and Security Act will establish a national standard for data breach notification, and require American businesses that collect and store consumers’ sensitive personal information to safeguard that information from cyber threats.  The bill also requires businesses to allow consumers to correct inaccurate information.  Last month, the Obama administration released a proposal to enhance and strengthen cybersecurity and data privacy, including a provision to establish a national standard for data breach notification that is similar to the data breach provision in the Leahy-authored Personal Data Privacy and Security Act.  

“The many recent and troubling data breaches in the private sector and in our government are clear evidence that developing a comprehensive national strategy to protect data privacy and security is one of the most challenging and important issues facing our country,” said Leahy.  “The Personal Data Privacy and Security Act will help meet that challenge, by better protecting Americans from the growing threats of data breaches and identity theft.”

Additional provisions of the bill include:

  • Tough criminal penalties for individuals who intentionally or willfully conceal a security breach involving personal data when the breach causes economic damage to consumers;
  • A requirement that companies that maintain personal data establish and implement internal policies to protect data privacy and security;
  • An update the Computer Fraud and Abuse Act to make attempted computer hacking and conspiracy to commit computer hacking punishable under the same criminal penalties as the underlying offense; and
  • A requirement the government ensure that the privacy and security of sensitive data is protected when the government contracts with third-party contractors. 

“Protecting privacy rights is of critical importance to all of us,” said Leahy.  “I hope that all Senators will support this measure to better protect Americans’ privacy.” 

Leahy chairs the Senate Judiciary Committee, which has approved the Personal Data Privacy and Security Act with bipartisan support in each of the last three Congresses.   The bill is cosponsored by Senators Chuck Schumer (D-N.Y.) and Ben Cardin (D-Md.).

# # # # #

 

Text of the Personal Data Privacy and Security Act

 

Section by Section Analysis of the Personal Data Privacy and Security Act (For Guidance)

# # # # #

 

Statement Of Senator Patrick Leahy (D-Vt.),

Chairman, Committee On The Judiciary,

On Introduction Of The Personal Data Privacy and Security Act of 2011

June 7, 2011

Today, I am pleased to reintroduce the Personal Data Privacy and Security Act.  The recent and troubling data breaches at Sony, Epsilon and Lockheed Martin on U.S. Government computers is clear evidence that developing a comprehensive national strategy to protect data privacy and cybersecurity is one of the most challenging and important issues facing our Nation.  The Personal Data Privacy and Security Act will help to meet this challenge, by better protecting Americans from the growing threats of data breaches and identity theft.   I thank Senators Schumer and Cardin for cosponsoring this important privacy legislation.

When I first introduced this bill six years ago, I had high hopes of bringing urgently needed data privacy reforms to the American people.  Although the Judiciary Committee favorably reported this bill three times -- in 2005, 2007, and again in 2009 -- the legislation languished on the Senate calendar.

While the Congress has waited to act, the dangers to our privacy, economic prosperity and national security posed by data breaches have not gone away.  According to the Privacy Rights Clearinghouse, more than 533 million records have been involved in data security breaches since 2005.  Just last week, Google announced that the Gmail accounts for hundreds of its users, including senior U.S. Government officials, have been hacked in an apparent state-sponsored cyberattack.  As The Washington Post editorial board recently observed, “[n]ow there is a need for legislative action.  As the recent high-profile leaks of personal data at Google, Sony and the data-collecting company Epsilon suggest, this issue is a ticking bomb.”

In May, the Obama administration released several proposals to enhance cybersecurity, including a data breach proposal that adopts the carefully balanced framework of this bill.  I am pleased that many of the sound privacy principles in this bill have been embraced by the President and his administration. 

The Personal Data Privacy and Security Act requires that data brokers let consumers know what sensitive personal information they have about them, and to allow individuals to correct inaccurate information.  The bill also requires that companies that have databases with sensitive personal information on Americans establish and implement data privacy and security programs. 

The bill would also establish a single nationwide standard for data breach notification.  The bill requires notice to consumers when their sensitive personal information has been compromised. 

This bill also provides for tough criminal penalties for anyone who would intentionally and willfully conceal the fact that a data breach has occurred when the breach causes economic damage to consumers.  The bill also includes the administration’s recent proposal to update the Computer Fraud and Abuse Act, so that attempted computer hacking and conspiracy to commit computer hacking offenses are subject to the same criminal penalties, as the underlying offense.

Finally, the bill addresses the important issue of the Government’s use of personal data by requiring that Federal agencies notify affected individuals when Government data breaches occur, and by placing privacy and security front and center when Federal agencies evaluate whether data brokers can be trusted with Government contracts that involve sensitive information about the American people.

Of course, no one has a monopoly on good ideas to solve the serious problems of identity theft and lax cybersecurity.  But, this bill puts forth some meaningful solutions to this vexing problem.

I have drafted this bill after long and thoughtful consultation with many of the stakeholders on this issue, including the privacy, consumer protection and business communities.  I have also consulted with the Departments of Justice and Homeland Security, and with the Federal Trade Commission.  I have worked closely with other Senators, including Senators Feinstein and Schumer. 

This is a comprehensive bill that not only deals with the need to provide Americans with notice when they have been victims of a data breach, but that also deals with the underlying problem of lax security and lack of accountability to help prevent data breaches from occurring in the first place.  Enacting this comprehensive data privacy legislation remains one of my legislative priorities as Chairman of the Judiciary Committee.

This bill has always garnered strong bipartisan support.  Protecting privacy rights is of critical importance to all of us, regardless of party or ideology.  I hope that all Senators will support this measure to better protect Americans’ privacy. 

I ask that a copy of the bill be printed in the Record following my statement.

# # # # #

Press Contact

David Carle: 202-224-3693