Senator Patrick Leahy is trying for a third time to convince Congress that the U.S. needs a national data breach standard through the Personal Data Privacy and Security Act of 2009. Senate Bill 1490 was introduced on July 22, 2009, and like its predecessors, it would preempt 45 states' laws and set standards for data breach notification and require organizations that maintain personal data of Americans to establish an internal security program to protect that data. For example, the bill would require internal testing “to ensure that third parties or customers who are authorized to access this information have a valid legal reason for accessing or acquiring the information.” The bill would also require the government to establish privacy and security rules for using commercial data brokers and to conduct audits of contractors.

The bill imposes penalties - including enhanced criminal penalties - for those who do not comply. It would increase criminal penalties for identity theft involving electronic personal data and make it a crime to “intentionally or willfully conceal a security breach involving personal data.” The latter could be punished by a fine, imprisonment of up to 5 years, or both, and the FTC could issue civil penalties of up to $10,000 per day for intentional and willful violations.

The bill does have some important caveats as a result of the opposition faced by the original two bills from retailers, financial institutions and data brokers. Significantly, smaller entities would be exempt from certain data breach notification provisions if information of fewer than 10,000 people was believed to be acquired and exempt from certain security requirements if they do not collect, access or use information on 10,000 or more people. As with similar provisions in a number of states' laws, the bill also exempts from certain notification requirements those organizations that certify in writing that providing notice would impede a criminal investigation or damage national security. The Secret Service is charged with determining whether such claims are true. Also, although notification to law enforcement must generally be provided within 14 days, there is no hard deadline for notifying consumers affected by a breach - it just must be “without unreasonable delay”. The bill includes a definition for "reasonable delay" and places the burden of proof on the entity from whom notification is required.

The bill is available here.