On April 30, 2015, Senator Patrick Leahy (D-VT) introduced new data breach legislation. The proposed law would require companies to meet certain consumer privacy and data protection standards and to notify individuals within 30 days of a breach. The proposed law would preempt less stringent state data security laws.
Senator Leahy has introduced data breach legislation in every Congress since 2005. This latest proposal follows several similar proposals, such as the Data Security and Breach Notification Act that was approved by the House Energy and Commerce Committee on April 15, and the Data Security Act, which was introduced on the same day. The day after Leahy’s announced bill, other congressmen introduced yet another data security bill. Leahy’s latest effort differs from those proposals in two key respects.
First, the Leahy bill contains a broader definition of personal information. For example, in addition to covering data that most state laws cover – such as a non-truncated social security number, a driver’s license number, a passport number, and account numbers in combination with a password – the Leahy bill also covers “information about an individual’s geographic location,” “password-protected digital photographs and digital videos not otherwise available to the public,” and certain health information and biometric data.
Second, the proposed law would only preempt state law where the state law is “less stringent” than the requirements of the federal law. The issue of whether state data security and notification standards would be preempted has previously frustrated efforts to push through national legislation.
The proposed bill is also notable for its provisions designed to prevent data breaches. The bill would require companies that store sensitive personal or financial information on 10,000 customers or more to meet specific security standards to keep this information safe. In a statement introducing the legislation, Leahy noted that while 47 states have data breach notification requirements, only 12 states have passed data security requirements designed to prevent data breaches.
The proposed legislation creates civil penalties for companies that fail to meet the required privacy and data security standards or fail to notify customers when a breach occurs. Specifically, the attorney general may impose a penalty of up to $16,500 for each individual whose sensitive personally identifiable information was placed at risk, subject to an aggregate penalty cap of $5,000,000. Additionally, state attorneys general may bring a civil action on behalf of their residents. Finally, the proposed law would not limit the Federal Trade Commission’s current authority, and any violation of the law would constitute a per se violation of the Federal Trade Commission Act.
The bill is cosponsored by Senators Al Franken (D-MI), Elizabeth Warren (D-MA), Richard Blumenthal (D-CT), Ron Wyden (D-OR), and Edward J. Markey (D-MA).