Leahy Introduces Personal Data Privacy and Security Act of 2011

Published On June 8, 2011 | By Lisa Branco | Data Security, General, Privacy

Yesterday Senator Patrick Leahy (D-VT) introduced a data security and privacy bill similar to those he has introduced in the previous three Congresses.  The bill contains provisions that would require businesses to implement data privacy and security programs and impose a national data breach notification standard.

Definitions

– The bill defines “security breach” as “compromise of security, confidentiality, or integrity of computerized data that result in:

  • Unauthorized acquisition of sensitive PII; and
  • Access to sensitive PII for unauthorized purposes or in excess of authorization; and
  • Which present a significant risk of harm or fraud to any individual.

Note: This definition of breach (with the “significant risk of harm or fraud” standard) is much more flexible than the current risk of harm standards in existing state data breach laws.

– “Sensitive personally identifiable information” is defined as:
(A) First and last name or first initial and last name in combination with any of the following data elements:

  • Non-truncated SSN, DL number, passport number, or alien registration number;
  • Any two of the following: home address or telephone number; mother’s maiden name; or month, day, and year of birth;
  • Unique biometric data (e.g., finger print, voice print, iris scan)
  • unique account identifier, electronic ID, username, or routing code, in combination with any security code, access code, or password if code or password required to obtain money, goods, services, or anything of value; and

(B) A financial account number or credit or debit card number in combination with any security code, access code, or password required for an individual to obtain credit, withdraw funds, or engage in a financial transaction.

Data Privacy and Security Regulations

Title III, Subtitle A of the bill would require businesses to implement a data privacy and security program (according to rules to be promulgated by the FTC) to protect “sensitive personally identifiable information.”

Violations of this section would be enforceable by the FTC or state Attorneys General.

  • Civil penalties would be capped at $5,000 per day per violation, with a maximum of $500,000 per violation.
  • Intentional or willful violations would be subject to additional penalties of a maximum of $5,000 per day per violation, not to exceed a total of $500,000 per violation.
  • No private right of action for violations under this subtitle.

Data Breach Notification
– Section 102 of the bill would implement criminal penalties (including fines and/or imprisonment up to 5 years) for those who “intentionally and willfully” conceal breaches of personally identifiable information.

– Title III, Subtitle B of the bill would implement a national data breach notification standard** requiring businesses to notify the following in the event of a breach:

  • Affected individuals;
  • Local media in states/jurisdictions where more than 5,000 residents are affected by the breach;
  • The national credit reporting agencies (if more than 5,000 individuals are affected);
  • The Secret Service and FBI (if more than 10,000 individuals are affected, the database compromised is owned by the federal government, or affected individuals are employees of contractors or the federal government involved in national security or law enforcement);

–  Breach notices would have to contain a description of categories of information compromised, a toll free number, and information on how to contact the national credit reporting agencies.

** Though the bill would pre-empt existing state data security and privacy regulations and data breach notification statutes, there is a provision that would allow states to require companies to include in breach notices information regarding victim protection assistance provided by a particular state.

  • Violations of this subtitle would be enforceable by the Attorney General of the U.S. or state Attorneys General.
  • Civil penalties would be capped at $1,000 per day per violation, with a maximum of $1,000,000 per violation (unless the violation is willful or intentional).
  • No private right of action for violations under this subtitle.

Other provisions of the bill would impose additional requirements on data brokers and enhance punishments for identity theft and other data privacy and security violations.

A full copy of the bill can be found here.

Comments