On January 8, 2014, Sen. Patrick Leahy (D-Vt) re-introduced a personal privacy protection bill intended “to prevent and mitigate identity theft, to ensure privacy, to provide notice of security breaches, and to enhance criminal penalties, law enforcement assistance, and other protections against security breaches, fraudulent access, and misuse of personally identifiable information.” Personal Data Privacy and Security Act of 2014, S. 1897 at preamble (introduced Jan. 8, 2014). Sen. Leahy introduced prior versions of this bill in 2005, and in each of the four Congresses since. Press Release, “Leahy Reintroduces Data Privacy Legislation,” Jan. 8, 2014.
Sen. Leahy’s published summary of the bill provides a detailed list of the key components. There are two principal titles in this bill: 1) Enhancing Punishment for Identity Theft and Other Violations of Data Privacy and Security; and 2) Privacy and Security of Personally Identifiable Information (“PII”). (There is a third title, relating to compliance with a statutory Pay-As-You-Go Act, but the text is a short paragraph and just relates to budget compliance.) See Leahy’s Section-By-Section Analysis of the Bill.
Punishment Enhancement: The Bill adds expands the definition of racketeering activity (18 U.S.C. § 1961(1)) to include violations of the Computer Fraud and Abuse Act (“CFAA,” 18 U.S.C. §1030); criminalizes the knowing concealment of a security breach that requires notice (and provides for either a fine or imprisonment up to 5 years); enhances the penalties for fraud and related activities under the CFAA; provides the same penalties for conspiracy to commit computer hacking as for completed, substantive offenses; clarifies the criminal forfeiture requirements; creates a civil forfeiture provision (providing that gross, not net, proceeds may be forfeited under this section); precludes civil actions based on violations of acceptable use policies or terms of service agreements; and adds a new criminal provision making it a felony to damage a computer that manages critical infrastructure systems, such as national security, transportation or public health and safety (imprisonment would be between 3 and 20 years if convicted).
Privacy and Security of PII. It covers detailed requirements for data privacy and security programs; enforcement for data breach events (although this specifically denies a private right of action); security breach notifications (to whom made, method, contents, timing, notice to law enforcement, permitting delays by Secret Service or FBI where notice could impede active criminal investigations or national security); and preemption of state law on breach notification; and enforcement (it appears to provide only agency enforcement (by federal or state agencies) or criminal enforcement, and not a private right of action).
Bill Status
This version of the legislation comes close on the heels of the data breach at Target retail stores, involving the “debit and credit card data of as many as 40 million customers during the Christmas holidays.” Id. (quoting Sen. Leahy). Once introduced, the bill was read twice, and referred to the Senate Judiciary Committee. Bill Status (last visited on Jan. 26, 2014); see also Detailed Summary. Sen. Leahy also announced that the bill “will be” the focus of a hearing before the Senate Judiciary Committee this year. Id. (Sen. Leahy is chair of the Senate Judiciary Committee.)
Senate Hearing: February 4, 2014 (To be Webcast in Real Time)
Two panels of testifying witnesses are currently scheduled. Panel 1 includes John J. Mulligan, EVP and CFO of Target Corporation and Delara Derakhshani, Policy Counsel of Consumers Union (publishers of Consumer Reports). Panel 2 includes The Honorable Edith Ramirez, Chairwoman of the Federal Trade Commission, William Noonan, Deputy Special Agent in Charge at the Criminal Investigative Division of the U.S. Secret Service and Mythili Raman, Acting Assistant Attorney General in the Criminal Division at the U.S. Department of Justice.
If prior hearings are any indication, then it is likely this hearing, which has been announced as a webcast, will also broadcast live. Visit the Judiciary Committee’s Hearing Notice to access the video feed.
Other Data Privacy Legislation
Sen. Leahy’s Bill is not the only one proposed in the current Congress relating to data security breaches and notifications to customers. Indeed, there are 303 other bills pending with the words “privacy” in their title. See Search Results. One particularly noteworthy is the Data Security Act of 2014 (S. 1927), introduced by Sen. Thomas Carper (D-DE) and Sen. Blunt (R-MO) on January 15, 2014. It seems to also be responsive to the Target data breach notification problem in December 2013. It was read twice and referred to the Senate Committee on Banking, Housing, and Urban Affairs.