Leahy Takes Third Shot at Data Breach Notifications

Senate Judiciary Committee Chairman Patrick Leahy, D-Vt., rolled out legislation July 22 that would establish national standards for data breach notifications to consumers. The bill would also require companies and organizations that maintain personal data to establish internal policies to protect the personal data of Americans.

The Personal Data Privacy and Security Act also calls for the government to establish rules protecting privacy and security when it uses information from commercial data brokers, to conduct audits of government contracts with data brokers and to impose penalties on government contractors that fail to meet data privacy and security requirements.

"This loss of privacy is not just a grave concern for American consumers; it is also a serious threat to the economic security of American businesses," Leahy said in a statement.  "The President's recent report on Cyberspace Policy Review noted that industry estimates of losses from intellectual property to data theft in 2008 range as high as $1 trillion. The FBI’s Internet Fraud Complaint Center also recently reported that complaints of Internet fraud increased by 33 percent in 2008. These troubling reports are all compelling examples of why we need to promptly pass the Personal Data Privacy and Security Act."

Nevertheless, Leahy's bill failed to arouse the interest of the U.S. Senate twice before. In 2005 and in 2007, Leahy introduced similar legislation that cleared the Senate Judiciary Committee but never generated enough support for a full floor vote. Opposition from financial institutions, data brokers and retailers stalled the legislation. In lieu of federal legislation, a number of states have approved data breach disclosure laws, creating a hodgepodge of different laws and regulations.

"When Sen. [Arlen] Specter and I first introduced this bill four years ago, we had high hopes of bringing urgently needed data privacy reforms to the American people," Leahy said in floor remarks accompanying the legislation. "While the Congress has waited to act, the dangers to our privacy, economic prosperity and national security posed by data breaches have not gone away."

Leahy noted a report this week from the Government Accountability Office that found that almost all of the nation’s major federal agencies have weaknesses in their information security controls. In addition, the Privacy Rights Clearinghouse has also said that more than 250 million records containing sensitive personal information have been involved in data security breaches since 2005.