Leahy Statement On the Introduction of the Consumer Privacy Protection Act of 2017

Today, I am introducing the Consumer Privacy Protection Act of 2017.  This legislation, if enacted, will help ensure that when Americans entrust corporations with their most sensitive personal information, these corporations take the right steps to keep this information secure, and do the right thing in the event of a data breach.  In today’s modern world, data security is no longer just about protecting our identities and our bank accounts; it is about protecting our privacy and even our national security. 

The need for this legislation has long been clear, and never more so than in the wake of the recent, massive Equifax data breach.  After media investigations and multiple Congressional hearings, we learned that the Equifax breach exposed the sensitive personal information of almost half the American population.  We also learned that Equifax failed to take basic steps to secure its databases, and waited an unjustifiably long period before notifying consumers and regulators.  Clearly, it is past time for all corporations that hold our personal information to maintain some common-sense, baseline cybersecurity standards.

Corporations make significant profits from our personal information, and they should be obligated to keep it safe.  Yet too often, data breaches continue to plague American businesses and compromise the privacy of millions of consumers.  At the same time, the amount of information we share with corporations who are the target of these breaches is growing.  Corporations collect and store our social security numbers, our bank account information, and our email addresses.  They collect information about our private health and medical conditions.  They know what routes we take to work and where we drop our kids off at school.  They can replicate our fingerprints or even faceprints.  We trust them with private photographs that we store in the cloud.  This information is increasingly targeted by both criminal hackers and nation-states, including hostile foreign powers.

The Consumer Privacy Protection Act I am introducing today is based on legislation I first introduced in 2015, and builds and expands on data security legislation that I have introduced in Congress since 2005.  It seeks to protect the vast amount of information that we now share with corporations each and every day.  Americans want to know that the corporations who are profiting from their information are actually doing something to prevent the next data breach.  Americans want to know when someone has had unauthorized access to their bank accounts and to their private family photographs, but they do not just want to be notified of yet another data breach.  Consumers should not have to settle for mere notice of data breaches.  American consumers deserve protection.  This legislation would accomplish that.  

The Consumer Privacy Protection Act requires that corporations meet certain baseline privacy and data security standards to keep information they store about their customers safe, and requires that corporations provide notice and protection to consumers in the event of a breach.  This legislation protects broad categories of data, including, (1) social security numbers and other government-issued identification numbers; (2) financial account information, including credit card numbers and bank accounts; (3) online usernames and passwords, including email names and passwords; (4) unique biometric data, including fingerprints; (5) information about a person’s physical and mental health; (6) information about geolocation; and (7) access to private digital photographs and videos.

It is true that not every breach can be prevented.  Cyber criminals and nation-state actors are determined and constantly looking for new ways to pierce the most sophisticated security systems.  But just as we expect a bank to put a lock on the front door and an alarm on the vault to protect its customers’ money, we expect corporations to take reasonable measures to protect the personal information they collect from us.  Unfortunately, many of the corporations that profit from the very information that we entrust them to protect, have woefully inadequate measures to secure this information.  For others, security is simply not a priority.  American consumers deserve better and our national security demands it.

This legislation creates civil penalties for corporations that fail to meet the required privacy and data security standards established in the bill or fail to provide notice and protection to consumers when a breach occurs.  The Department of Justice, the Federal Trade Commission, and State attorneys general each have a role in enforcement.  This legislation also requires corporations to inform Federal law enforcement of all large data breaches, as well as breaches that could impact the federal government.  Such notification is necessary to help law enforcement bring these cyber criminals to justice and identify patterns that help protect against future attacks.

Many Americans understandably assume Federal law already protects this sensitive information—common sense tells us that it should.  Unfortunately, the reality is that it does not.  States provide a patchwork of protection, and while some laws are strong, others are not.  For example, my home state of Vermont has a strong data breach notification law that that has been in effect since 2007.  But there are many other States that have not passed data security laws designed to prevent data breaches. 

This legislation sets a floor: a baseline standard that that protects Americans across the country, while also freeing individual States to provide even stronger protections to their residents.  In crafting Federal law, we must be careful not to override strong State laws, but we also need to ensure that all Americans, regardless of where they live, have their privacy protected.  To this end, the Consumer Privacy Protection Act preempts State law relating to data security and data breach notification only to the extent that the protections under those laws are weaker than those provided for in this bill.  We must ensure that consumers do not lose privacy protections they currently enjoy.  Since this bill is modeled after those States with the strongest consumer protections, I believe it will improve protections for consumers in nearly every State. 

I am joined today by Senators Markey, Blumenthal, Wyden, Franken, and Baldwin in introducing this legislation.  These Senators have long shared my commitment to protecting consumer privacy.  This legislation also has the support of leading consumer privacy advocates, including: the Center for Democracy and Technology, the Consumer Federation of America, New America’s Open Technology Institute, and Public Knowledge. 

Millions of Americans who have had their personal information compromised or stolen as a result of a data breach consider this issue to be of critical importance and a priority for the Senate.  Protecting privacy rights should be important to all of us, regardless of party or ideology.  I hope all Senators will support this common-sense measure to better protect Americans’ privacy.  

Press Contact

David Carle: 202-224-3693