Leahy Introduces Cybersecurity Legislation

WASHINGTON (Wednesday, July 22, 2009) – Senate Judiciary Committee Chairman Patrick Leahy (D-Vt.) Wednesday introduced legislation to better protect Americans’ privacy and personal information and to improve the nation’s cybersecurity.  The comprehensive Personal Data Privacy and Security Act will require data brokers and companies to establish and implement data privacy and security programs.

Leahy has introduced the legislation in two previous Congresses, and twice the Judiciary Committee has reported the measure.  Leahy reintroduced the bill Wednesday following the release of a report this week from the Government Accountability Office that found that almost all of the nation’s major federal agencies have weaknesses in their information security controls.  The Privacy Rights Clearinghouse has also said that more than 250 million records containing sensitive personal information have been involved in data security breaches since 2005.  Leahy has identified passage of the Personal Data Privacy and Security Act as one of his top legislative priorities.

“This is a comprehensive bill that not only deals with the need to provide Americans with notice when they have been victims of a data breach, but that also deals with the underlying problem of lax security and lack of accountability to help prevent data breaches from occurring in the first place,” said Leahy.  “Passing this comprehensive data privacy legislation is one of my highest legislative priorities as Chairman of the Judiciary Committee.”

Leahy has been a longtime champion of privacy protections, and has testified before congressional Committees on the importance of the data privacy legislation.  Among the first hearings of the Senate Judiciary Committee this Congress, Leahy held an important hearing on privacy concerns associated with electronic health records.  He was able to secure several health privacy provisions in the economic recovery package enacted earlier this year.

The Personal Data Privacy and Security Act would:

• Increasing criminal penalties for identity theft involving electronic personal data and making it a crime to intentionally or willfully conceal a security breach involving personal data;
• Giving individuals access to, and the opportunity to correct, any personal information held by commercial data brokers;
• Requiring entities that maintain personal data to establish internal policies that protect the personal data of Americans;
• Requiring entities that maintain personal data to give notice to individuals and law enforcement when they experience a breach involving sensitive personal data; and
• Requiring the government to establish rules protecting privacy and security when it uses information from commercial data brokers, to conduct audits of government contracts with data brokers and impose penalties on government contractors that fail to meet data privacy and security requirements.

Upon introduction of the legislation, Leahy also cited recent reports from the Federal Bureau of Investigation and the White House about the critical need for stronger data privacy protections. 

“This loss of privacy is not just a grave concern for American consumers; it is also a serious threat to the economic security of American businesses,” said Leahy.  “The President’s recent report on Cyberspace Policy Review noted that industry estimates of losses from intellectual property to data theft in 2008 range as high as $1 trillion.   The FBI’s Internet Fraud Complaint Center also recently reported that complaints of Internet fraud increased by 33 percent in 2008.  These troubling reports are all compelling examples of why we need to promptly pass the Personal Data Privacy and Security Act.”

# # # # #

Section-By-Section Summary (For Background Purposes)

Statement of Senator Patrick Leahy,
Chairman, Committee on the Judiciary,
On Introduction Of
The Personal Data Privacy and Security Act of 2009
July 22, 2009

MR. PRESIDENT.  Today, I am pleased to reintroduce the Personal Data Privacy and Security Act.  The recent and troubling cyber attack on U.S. government computers is clear evidence that developing a comprehensive national strategy for data privacy and cybersecurity is one of the most challenging and important issues facing our nation.  The Personal Data Privacy and Security Act will help to meet this challenge, by better protecting Americans from the growing threats of data breaches and identity theft.

When Senator Specter and I first introduced this bill four years ago, we had high hopes of bringing urgently needed data privacy reforms to the American people.  Although the Judiciary Committee favorably reported this bill twice, in 2005 and again in 2007, the legislation languished on the Senate calendar and the Senate adjourned without passing comprehensive data privacy legislation.

While the Congress has waited to act, the dangers to our privacy, economic prosperity and national security posed by data breaches have not gone away.  Just this week, the Government Accountability Office released a report finding that almost all of our major federal agencies have systemic weaknesses in the information security controls.  According to the Privacy Rights Clearinghouse, more than 250 million records containing sensitive personal information have been involved in data security breaches since 2005.  

This loss of privacy is not just a grave concern for American consumers; it is also a serious threat to the economic security of American businesses.  The President’s recent report on Cyberspace Policy Review noted that industry estimates of losses from intellectual property to data theft in 2008 range as high as $1 trillion.

The FBI’s Internet Fraud Complaint Center also recently reported that complaints of Internet fraud increased by 33 percent in 2008.  These troubling reports are all compelling examples of why we need to promptly pass the Personal Data Privacy and Security Act.

Earlier this year, the Judiciary Committee held an important hearing on the privacy risks associated with electronic health records as the Nation moves towards a national health IT system.  I am pleased that many of the privacy principles developed during that hearing have been enacted as part of the President’s economic recovery package. 

The Personal Data Privacy and Security Act requires that data brokers let consumers know what sensitive personal information they have about them, and to allow individuals to correct inaccurate information.  The bill also requires that companies that have databases with sensitive personal information on Americans establish and implement data privacy and security programs. 

In addition, the bill requires notice when sensitive personal information has been compromised.  This bill also provides for tough criminal penalties for anyone who would intentionally and willfully conceal the fact that a data breach has occurred when the breach causes economic damage to consumers.  Finally, the bill addresses the important issue of the government’s use of personal data by requiring that federal agencies notify affected individuals when government data breaches occur, and placing privacy and security front and center when federal agencies evaluate whether data brokers can be trusted with government contracts that involve sensitive information about the American people.

Of course, Senator Specter and I have no monopoly on good ideas to solve the serious problems of identity theft and lax cybersecurity.  But, we have put forth some meaningful solutions to this problem in this bill.

We have drafted this bill after long and thoughtful consultation with many of the stakeholders on this issue, including the privacy, consumer protection and business communities.  We have also worked closely with other Senators, including Senators Feinstein, Feingold and Schumer. 

This is a comprehensive bill that not only deals with the need to provide Americans with notice when they have been victims of a data breach, but that also deals with the underlying problem of lax security and lack of accountability to help prevent data breaches from occurring in the first place.  Passing this comprehensive data privacy legislation is one of my highest legislative priorities as Chairman of the Judiciary Committee, and I hope all Senators will support this measure.  I ask that a copy of the bill be printed in the record following my statement.

# # # # #

Section-By-Section Summary of the personal data privacy and security act

For Background Purposes Only

Title I – Enhancing Punishment for Identity Theft and Other Violations of Data Privacy and Security

Section 101 – Organized Criminal Activity in Connection with Unauthorized Access to Personally Identifiable Information

Section 101 amends 18 U.S.C. § 1961(1) to add intentionally accessing a computer without authorization to the definition of racketeering activity.

Section 102 -   Concealment of Security Breaches Involving Sensitive Personally Identifiable Information

Section 102 makes it a crime for a person who knows of a security breach requiring notice to individuals under Title III of this Act, and of the obligation to provide such notice, to intentionally and willfully conceal the fact of, or information related to, that security breach.  Punishment is either a fine under Title 18, or imprisonment of up to 5 years, or both.

Section 103 – Review and Amendment of Federal Sentencing Guidelines Related to Fraudulent Access to or Misuse of Digitized or Electronic Personally Identifiable Information

Section 103 requires the U.S. Sentencing Commission to review and, if appropriate, amend the federal sentencing guidelines for persons convicted of using fraud to access, or to misuse, digitized or electronic personally identifiable information, including sentencing guidelines for the offense of identity theft or any offense under 18 U.S.C. §§ 1028, 1028A, 1030, 1030A, 2511 and 2701.

Section 104 – Effects of Identity Theft on Bankruptcy Proceedings

Section 104 amends 11 U.S.C. §§ 101 and 707(b) to exempt debtors from Section 707(b)(2) means testing under the Bankruptcy Abuse Prevention and Consumer Protection Act, if the debtor’s financial problems were caused by identity theft.  This Section requires that, to be eligible for this exemption, the identity theft must result in at least $20,000 in debt in one year, 50 percent of the debtor’s bankruptcy claims, or 25 percent of the debtor’s gross income for a 12-month period.  The purpose of this provision is to ensure that victims who incur debts due to identity theft have all available protections under the bankruptcy code.

Title II- Data Brokers

Title II addresses the data brokering industry that has come of age, prompted by technology developments and changes in marketplace incentives.  Data brokers collect and sell billions of private and public records about individuals, including personal, financial, insurance, medical and “lifestyle” data, as well as other sensitive information, such as details on neighbors and relatives, or even digital photographs of individuals.  Companies like ChoicePoint, LexisNexis and Acxiom, which are generally regarded as leaders in this industry, use this information to provide a variety of products and services, including fraud prevention, identity verification, background screening, risk assessments, individual digital dossiers and tools for analyzing data. 

Although some of the products and services offered by data brokers are subject to existing privacy and security protections aimed at credit reporting agencies and the financial industry under the Fair Credit Reporting Act (“FCRA”) and Gramm-Leach-Bliley (“GLB”), many are not subject to such protections.  In addition, there has been insufficient oversight of the industry’s practices, including the accuracy and handling of sensitive data.  These concerns have been highlighted by numerous reports of harm caused by inaccurate data records.  This Title draws from the principles in FCRA and GLB to close these loopholes.

Section 201 – Transparency and Accuracy of Data Collection

Section 201 applies disclosure and accuracy requirements to data brokers that engage in interstate commerce and offer any product or service to third parties that allows access to, or use, compilation, distribution, processing, analyzing or evaluating of personally identifiable information.  Section 201 requirements are not applicable to products and services already subject to similar disclosure and accuracy provisions under FCRA and GLB, and implementing regulations.

Section 201 requires data brokers to disclose to individuals, upon their request and for a reasonable fee, all personal electronic records pertaining to that individual that the data broker maintains for disclosure to third parties.  Section 201 also requires data brokers to establish a fair process for individuals to dispute, flag or correct inaccuracies in any information that was not obtained from a licensor or public record.  Modeled after Section 611 of FCRA, Section 201 requires data brokers to: (1) investigate disputed information within 30 days; (2) notify any data furnishers who provided disputed information and identify such data furnishers to the individual disputing the information; (3) provide notice to individuals on dispute resolution procedures and the status of dispute investigations, including whether the dispute was determined to be frivolous or irrelevant, whether the disputed information was confirmed to be accurate, or whether the disputed information was deleted as inaccurate; and (4) allow individuals to include a statement of dispute in the electronic records containing the disputed personal information.  If the information was obtained from a licensor or public record, the data broker must provide the individual with contact information for the source of the data.

Section 201 also provides that, under circumstances where a person or business takes an adverse action regarding a consumer, which is based in whole or in part on data maintained by a data broker, the person or business must notify the consumer in writing of the adverse action and provide contact information for the data broker that furnished the information, a copy of the information at no cost and the procedures for correcting such information.

Section 202 – Enforcement

A data broker that violates the access and correction provisions of Section 201 is subject to penalties of $1,000 per violation per day with a maximum penalty of $250,000 per violation.  A data broker that intentionally or willfully violates these provisions is subject to additional penalties of $1,000 per violation per day, with a maximum of an additional penalty of $250,000 per violation.

The Federal Trade Commission (“FTC”) will enforce Section 202 and may bring an enforcement action to recover penalties under this provision.  States have the right to bring civil actions under this Section on behalf of their residents in U.S. district courts, and this section requires that States provide advance notice of such court proceedings to the FTC, where practicable.  The FTC also has the right to stay any state action brought under this Section and to intervene in a state action.

Section 203 – Relation to State Laws

Section 203 preempts State laws with respect to the access and correction of personal electronic records held by data brokers.

Section 204 – Effective Date

Section 204 provides that Title II will take effect 180 days after the date of the enactment of the Personal Data Privacy and Security Act.

Title III– Privacy and Security of Personally Identifiable Information

      Subtitle A – A Data Privacy and Security Program

Section 301 – Purpose and Applicability of Data Privacy and Security Program

Section 301 addresses the data privacy and security requirements of Section 302 for business entities that compile, access, use, process, license, distribute, analyze or evaluate personally identifiable information in electronic or digital form on 10,000 or more U.S. persons.  Section 301 exempts from the data privacy and security requirements of Section 302 businesses already subject to, and complying with, similar data privacy and security requirements under GLB and implementing regulations, as well as examination for compliance by Federal functional regulators as defined in GLB, and HIPPA regulated entities.

Section 302 – Requirements for a Personal Data Privacy and Security Program

Section 302 requires covered business entities to create a data privacy and security program to protect and secure sensitive data.  The requirements for the data security program are modeled after those established by the Office of the Comptroller of the Currency for financial institutions in its Interagency Guidelines Establishing Standards for Safeguarding Customer Information, 12 C.F.R. § 30.6 Appendix B (2005).

A data privacy and security program must be designed to ensure security and confidentiality of personal records, protect against anticipated threats and hazards to the security and integrity of personal electronic records, protect against unauthorized access and use of personal records, and ensure proper back-up storage and disposal of personally identifiable information.  In addition, Section 302 requires a covered business entity to: (1) regularly assess, manage and control risks to improve its data privacy and security program; (2) provide employee training to implement its data privacy and security program; (3) conduct tests to identify system vulnerabilities; (4) ensure that overseas service providers retained to handle personally identifiable information, but which are not covered by the provisions of this Act, take reasonable steps to secure that data; and (5) periodically assess its data privacy and security program to ensure that the program addresses current threats.  Section 302 also requires that the data security program include measures that allow the data broker (1) to track who has access to sensitive personally identifiable information maintained by the data broker and (2) to ensure that third parties or customers who are authorized to access this information have a valid legal reason for accessing or acquiring the information.

Section 303 - Enforcement

Section 303 gives the FTC the right to bring an enforcement action for violations of Sections 301 and 302 in Subtitle A.  Business entities that violate sections 301 and 302 are subject to a civil penalty of not more than $5,000 per violation, per day and a maximum penalty of $500,000 per violation.  Intentional and willful violations of these sections are subject to an additional civil penalty of $5,000 per violation, per day and an additional maximum penalty of $500,000 per violation.  This section also grants States the right to bring civil actions on behalf of their residents in U.S. district courts, and requires States to give advance notice of such court proceedings to the FTC, where practicable.  There is no private right of action under this subtitle.

Section 304 – Relation to Other Laws

Section 304 preempts state laws relating to administrative, technical, and physical safeguards for the protection of sensitive personally identifying information.  The requirements referred to in this Section are the same requirements set forth in Section 302.

      Subtitle B – Security Breach Notification

Section 311 – Notice to Individuals

Section 311 requires that a business entity or federal agency give notice to an individual whose sensitive personally identifiable information has been, or is reasonably believed to have been, compromised, following the discovery of a data security breach.  The notice required under Section 311 must be made without unreasonable delay.  Section 311(b) requires that a business entity or federal agency that does not own or license the information compromised as a result of a data security breach notify the owner or licensee of the data.  The owner or licensee of the data would then provide the notice to individuals as required under this Section.  However, agreements between owners, licensees and third parties regarding the obligation to provide notice under Section 311 are preserved.

Section 312 – Exemptions

Section 312 allows a business entity or federal agency to delay notification by providing a written certification to the U.S. Secret Service that providing such notice would impede a criminal investigation, or damage national security.  This provision further requires that the Secret Service must review all certifications from business entities (and may review certifications from agencies) seeking an exemption from the notice requirements based upon national security or law enforcement, to determine if the exemption sought has merit.  The Secret Service has 10 business days to conduct this review, which can be extended by the Secret Service if additional information is needed.  Upon completion of the review, the Secret Service must provide written notice of its determination to the agency or business entity that provided the certification.  If the Secret Service determines that the exemption is without merit, the exemption will not apply.  Section 312 also prohibits federal agencies from providing a written certification to delay notice, to conceal violations of law, prevent embarrassment or restrain competition.

Section 312(b) exempts a business entity or agency that conducts a risk assessment after a data breach occurs, and finds no significant risk of harm to the individuals whose sensitive personally identifiable information has been compromised, from the notice requirements of Section 311, provided that:  (1) the business entity or federal agency notifies the Secret Service of the results of the risk assessment within 45 days of the security breach and (2) the Secret Service does not determine within 10 business days of receipt the notification that a significant risk of harm does in fact exist and that notice of the breach should be given.  Under Section 312(b) a rebuttable presumption exists that the use of encryption technology, or other technologies that render the sensitive personally identifiable information indecipherable, and thus, that there is no significant risk of harm.

Section 312(c) also provides a financial fraud prevention exemption from the notice requirement, if a business entity has a program to block the fraudulent use of information -- such as credit card numbers -- to avoid fraudulent transactions.  Debit cards and other financial instruments are not covered by this exemption. 

Section 313- Methods of Notice

Section 313 provides that notice to individuals may be given in writing to the individuals last known address, by telephone or via email notice, if the individual has consented to email notice.  Media notice is also required if the number of residents in a particular state whose information was, or is reasonably believed to have been compromised exceeds 5,000 individuals.

Section 314 – Content of Notification

Section 314 requires that the notice detail the nature of the personally identifiable information that has been compromised by the data security beach, a toll free number to contact the business entity or federal agency that suffered the breach, and the toll free numbers and addresses of major credit reporting agencies.  Section 314 also preserves the right of States to require that additional information about victim protection assistance be included in the notice.

Section 315 - Coordination of Notification with Credit Reporting Agencies

Section 315 requires that, for situations where notice of a data security breach is required for 5,000 or more individuals, a business entity or federal agency must also provide advance notice of the breach to consumer reporting agencies.

Section 316 – Notice to Law Enforcement

Section 316 requires that business entities and federal agencies notify the Secret Service of the fact that a security breach occurred within 14 days of the breach, if the data security breach involves:  (1) more than 10,000 individuals; (2) a database that contains information about more than 1 million individuals; (3) a federal government databases; or (4) individuals known to be government employees or contractors involved in national security or law enforcement.  The Secret Service is responsible for notifying other federal law enforcement agencies, including the FBI, and the relevant State Attorneys General within 14 days of receiving notice of a data security breach.

Section 317 - Enforcement

Section 317 allows the Attorney General to bring a civil action to recover penalties for violations of the notification requirements in Subtitle B.  Violators are subject to a civil penalty of up to $1,000 per day, per individual and a maximum penalty of $1 million per violation, unless the violation is willful or intentional. 

Section 318 – Enforcement by State Attorneys General

Section 318 allows State Attorneys General to bring a civil action in U.S. district court to enforce Subtitle B.  The Attorney General may stay, or intervene in, any state action brought under this subtitle.

Section 319- Effect on Federal and State Law

Section 319 preempts state laws on breach notification, with the exception of state laws regarding providing consumers with information about victim protection assistance that is available to consumers in a particular State.  Because the breach notification requirements in the bill do not apply to state and local government entities, this provision does not to preempt state or local laws regarding the obligations of state and local government entities to provide notice of a data security breach.

Section 320 – Authorization of Appropriations

Section 320 authorizes funds for the Secret Service as may be necessary to carry out investigations and risk assessments of security breaches under the requirements of Subtitle B.

Section 321 – Reporting on Risk Assessment Exemptions

Section 321 requires that the Secret Service report to Congress on the number and nature of data security breach notices invoking the risk assessment exemption and the number and nature of data security breaches subject to the national security and law enforcement exemptions.

Section 322 – Effective Date

Subtitle B takes effect 90 days after the date of enactment of the Personal Data Privacy and Security Act.

            Subtitle C – Office of Federal Identity Protection

Section 331 – Office of Federal Identity Protection

Section 331 establishes an Office of Federal Identity Protection within the FTC, to assist consumers with identity theft issues and concerns, including helping consumers correct their personal information and retrieve stolen information.  The Office of Federal Identity Protection’s activities will also include, providing a website dedicated to assisting consumers with identity theft matters, providing a toll free number to assist consumers, providing guidance and information on obtaining pro bono legal services for victims of identity theft, and issuing certifications to victims of identity theft that can be used to, among other things, establish eligibility for fraud alert and reporting protections under the Fair Credit Reporting Act.

Title IV – Government Access to and Use of Commercial Data

Section 401 – General Services Administration Review of Government Contracts

Section 401 requires the General Services Administration (GSA), when issuing contracts for more than $500,000, to review and consider government contractors’ programs for securing the privacy and security of personally identifiable information, contractors’ compliance with such programs, and any data security breaches of contractors’ systems and the responses to those breaches. 

In addition, GSA is required to include penalties in contracts involving personally identifiable information for (1) failure to comply with Subtitle A (Data Privacy and Security Programs) and Subtitle B (Security Breach Notification) of Title III of this Act and (2) knowingly providing inaccurate information.  Section 401 also requires that GSA include a contract requirement that government contractors exercise due diligence in selecting service providers that handle personally identifiable information and that government contractors take reasonable steps to select service providers that maintain appropriate data privacy and security safeguards.

Section 402 – Requirement to Audit Information Security Practices of Contractors and Third Party Business Entities

Section 402 amends 44 U.S.C. § 3544 to require that federal agencies audit and evaluate the information security practices of government contractors and third parties that support the information technology systems of government agencies.

Section 403 – Privacy Impact Assessment of Government Use of Commercial Information Services Containing Personally Identifiable Information

Section 403(a) updates the E-Government Act of 2002 to require federal departments and agencies that purchase or subscribe to personally identifiable information from a commercial entity, to conduct privacy impact assessments on the use of those services.  In addition, Section 403(b) requires federal departments and agencies that use such services to publish a description of the database, the name of the provider and the contract amount.

Section 403 also requires that federal departments and agencies adopt regulations that specify the personnel allowed to access government databases containing personally identifiable information and the standards for ensuring, among other things, the legitimate government use of such information, the retention and disclosure of such information, and the accuracy, relevance, completeness and timeliness of such information.  Section 403 further provides that federal departments and agencies must include in contracts for more than $500,000 and agreements with commercial data services, penalty provisions for circumstances where a data broker delivers personally identifiable information that it knows to be inaccurate, or has been informed is inaccurate and is in fact inaccurate.  Section 403(c) also requires that data brokers that engage service providers, who are not subject to the data security program requirements of the bill, exercise due diligence in retaining these service providers to ensure that adequate safeguards for personally identifiable information are in place. 

Section 403(d) directs the Government Accountability Office to conduct a follow-up study and report to Congress on federal agency use of commercial databases, including the impact of such use on privacy and security, sufficiency of privacy and security protections, and the extent to which commercial data providers are penalized for privacy and security failures. 

Section 404 – Implementation of Chief Privacy Officer Requirements

Section 522 of the Transportation, Treasury, Independent Agencies, and General Government Appropriations Act, 2005 requires each agency to create a Chief Privacy Officer.  Section 404 facilitates the efficient and effective implementation of this requirement by directing the Department of Justice to implement this provision by designating a Department-wide Chief Privacy Officer, whose primary role is to fulfill the duties and responsibilities of Chief Privacy Officer.  In addition, the DOJ Chief Privacy Officer will report directly to the Deputy Attorney General.

Section 404 also stipulates responsibilities for the DOJ Chief Privacy Officer that are tailored to the mission of the Department and the requirements of this Act.  Specifically, this Section directs the Chief Privacy Officer to: (1) oversee DOJ’s implementation of the privacy impact assessment requirement under Section 402; (2) promote the use of law enforcement technologies that sustain, rather than erode, privacy protections and ensure technologies relating to the use, collection and disclosure of personally identifiable information preserve privacy and security; and (3) coordinate implementation with the Privacy and Civil Liberties Oversight Board, established in the Intelligence Reform and Terrorism Prevention Act of 2004.

# # # # #