Senate Judiciary Committee Chairman Patrick Leahy (D-VT) Introduces Data Security Bill
Senate Judiciary Committee Chairman Patrick Leahy (D-VT) has introduced a data security bill that would require certain business entities that store personal data to implement data privacy and security programs, modeled after those established for financial institutions to protect customer information. Notably, the bill provides for a national standard for breach notification and tough criminal penalties, including up to five years in prison, for individuals who intentionally conceal the fact that a data breach has occurred when the breach causes economic damage to one or more persons. The bill also requires data brokers that are not already subject to privacy and data security obligations under existing laws, such as the Fair Credit Reporting Act and Gramm-Leach-Bliley, to disclose to an individual upon request all personal electronic records regarding that individual, and to notify an individual under certain circumstances where a party has taken an adverse action based on the broker’s data. In a provision relevant to government contractors, the bill would require the General Services Administration to consider a contractor’s history of data breaches and data privacy and security programs when awarding contracts of more than $500,000.
While Leahy has introduced a version of the bill in every session of Congress since 2005, he noted in a statement that recent data breaches, like those at Sony, Epsilon and Lockheed Martin, as well as Google’s announcement of an “apparent state-sponsored cyberattack” on Gmail from China, emphasize the need for a national strategy on privacy and cybersecurity.
Certain provisions in the bill mirror suggestions in the May 12, 2011 Obama Administration Cybersecurity Legislative Proposal, such as the bill’s breach notification provision, as well as a provision updating the Computer Fraud and Abuse Act so that attempted computer hacking and conspiracy to commit computer hacking are subject to the same criminal penalties as the underlying offenses.