03.25.08

Leahy, Specter Call For DOJ Investigation Into Passport Data Breach At State Department

Senate Judiciary Committee Leaders Press For Floor Consideration Of Data Privacy Legislation

WASHINGTON (Tuesday, March 25, 2008) – Senate Judiciary Committee Chairman Patrick Leahy (D-Vt.) and Ranking Member Arlen Specter (R-Pa.) today urged the Attorney General to take immediate action to investigate reported breaches of the passport files of the three presidential candidates at the State Department.  Attorney General Michael Mukasey stated last week that the Justice Department would await the outcome of an internal investigation at the State Department before taking action.

“We both strongly believe that our government has a duty to protect the private information of its citizens,” wrote Leahy and Specter.  “The Justice Department should not wait to be handed ‘a box full of evidence,’ as you said at your recent briefing, before determining whether Federal laws were broken.”

On Tuesday, Leahy and Specter also wrote to Majority Leader Harry Reid and Minority Leader Mitch McConnell, pressing for swift consideration of the Leahy-Specter Personal Data Privacy and Security Act.  The bill would help to prevent data security breaches and to combat identity theft while providing further protections in the handling of American’s private data, including the handling of private data by Federal agencies and government contractors, such as those who breached the passport files of the three presidential candidates.  The legislation also includes a requirement for timely notification of data security breaches.  (Summary of the Leahy-Specter data privacy legislation.)

“We write to request that you schedule floor time for Senate consideration of S.495, the Leahy-Specter Personal Data Privacy and Security Act,” the Senators wrote.  “This comprehensive data privacy bill is aimed at better protecting Americans’ privacy.  The Senate should consider and pass it.  We can help make a difference for all Americans.”

The Leahy-Specter legislation has broad support, and was reported by the Judiciary Committee in May 2007.  Leahy and Specter have since urged the Senate to consider the legislation.  The text of the Leahy-Specter letters is below.

# # # # #

Letter to Attorney General Michael Mukasey
(PDF)

March 25, 2008

The Honorable Michael B. Mukasey
Attorney General
United States Department of Justice
950 Pennsylvania Avenue, N.W.
Washington, D.C. 20530

Dear Attorney General Mukasey:

We were troubled to learn last week that the passport files of all three presidential candidates were breached by State Department contractors.  This revelation raises concerns about possible violations of Federal laws meant to protect Americans’ privacy.

According to recent news reports, the Department of Justice has yet to begin an investigation into the passport breaches or the possibility that private information about the candidates may have been illegally disclosed.  Last Friday during a press briefing, you indicated that the Department would await completion of the State Department’s Inspector General’s inquiry and a referral before taking any action. 

While we are pleased that the State Department now appears to be taking these breaches seriously, the Justice Department’s critical law enforcement function need not and should not await completion of the State Department’s internal probe.  We ask that you take immediate action to look into this matter, and inform us what preliminary steps the Department is taking to determine whether these passport file breaches involved the violation of Federal laws, and to make sure that any evidence of possible violations by current or former contractors is being preserved. 

We both strongly believe that our government has a duty to protect the private information of its citizens.  The Justice Department should not wait to be handed “a box full of evidence,” as you said at your recent briefing, before determining whether Federal laws were broken. 

Sincerely,

 

PATRICK LEAHY                                         ARLEN SPECTER                                        

Chairman                                                         Ranking Member

 

# # # # #

 

Letter to Majority Leader Harry Reid and Minority Leader Mitch McConnell 
(PDF) 

March 25, 2008

 

The Honorable Harry Reid
Majority Leader
United States Senate
S-221, U.S. Capitol
Washington, D.C. 20510

 The Honorable Mitch McConnell
Republican Leader
United States Senate
S-230, U.S. Capitol
Washington, D.C. 20510

Dear Senators Reid and McConnell: 

We write to request that you schedule floor time for Senate consideration of S.495, the Leahy-Specter Personal Data Privacy and Security Act.  This comprehensive data privacy bill is aimed at better protecting Americans’ privacy.

 

A week does not go by without reports of personal data privacy breaches.  This week, front page headlines have delivered news about the theft last month of personal information from the National Institutes of Health.  Earlier reports have involved virtually every department of the Federal Government.  And just last week, we learned that the passport files of the presidential candidates may have been compromised by contractors.  Unauthorized invasions of sensitive personal medical information are another concern.

 

Our bill directly addresses concerns with these matters.  The legislation would provide protections for consumers, including a requirement for timely notification of data security breaches.  In particular, the bill would require that government contractors safeguard sensitive personal data, including the passport information that was recently breached at the State Department. 

 

This data privacy bill has the support of many consumer, business and privacy organizations, including Microsoft, Vontu, TraceSecurity, the National Association of Credit Management, the American Federation of Government Employees, the Cyber Security Industry Alliance, the Center for Democracy and Technology, Consumers Union, Consumer Federation of America and, to a great extent, the American Association of Retired Persons.  As you can see, we have been able to bring consumer interests and business interests together in support of our legislation. 

 

Our bipartisan measure was favorably reported by the Judiciary Committee last May.  The Senate should consider and pass it.  We can help make a difference for all Americans.  

 

Sincerely,

 

PATRICK LEAHY                                                     ARLEN SPECTER

Chairman                                                                     Ranking Member

 

# # # # #

 

For Background

Summary of the Leahy–Specter Personal Data Privacy and Security Act of 2007 

  • Provides new measures to protect the privacy and security of personal data.  Provides Americans with notice when they have been harmed, and also addresses the underlying problem of lax security and lack of accountability in dealing with personal data.
  • Addresses the government’s use of personal data by: (1) requiring the General Services Administration to evaluate the privacy and security practices of potential government contractors handling personal data and to include penalties in government contracts for failure to protect data privacy and security; (2) requiring Federal departments and agencies to audit the information security practices of commercial data brokers hired for projects involving personal data and to include protections and penalties in contracts with data brokers to protect data privacy and security; and (3) requiring Federal departments and agencies to conduct privacy impact assessments on their use of commercial databases to access personal data on U.S. persons, and to adopt regulations to ensure the security and privacy of data obtained through commercial data brokers.
  • Adds unauthorized access to sensitive personally identifiable information to the criminal prohibition against computer fraud under 18 U.S.C. § 1030(a) (2).
  • Requires data brokers to let individuals know what information they have about them, and where appropriate, allow individuals to correct demonstrated inaccuracies.  There are exemptions for products and services already subject to access and correction rules under the Fair Credit Reporting Act, as well as companies subject to Gramm-Leach-Bliley and the Health Information Portability and Accountability Act.  In addition, there are also exemptions for proprietary, fraud prevention tools and marketing data.
  • Requires companies that have databases with personal information on more than 10,000 Americans to establish and implement data privacy and security programs, and vet third-party contractors hired to process data.  There are exemptions for companies already subject to data security requirements under Gramm-Leach-Bliley and the Health Information Portability and Accountability Act.
  • Requires notice to law enforcement, consumers and credit reporting agencies when digitized sensitive personal information has been compromised.  The trigger for notice is tied to significant risk of harm with appropriate checks-and-balances to prevent over-notification as well as underreporting.  There are exemptions for national security and law enforcement needs, credit card companies using fraud-prevention techniques or where a breach does not result in a significant risk of harm.
  • Provides tough monetary penalties for failing to provide privacy and security protections and notices of security breaches.  Imposes a criminal penalty in the cases were there is intentional and willful concealment of a security breach known to require notice.

 

# # # # #

Press Contact

David Carle: 202-224-3693

Related Files