On January 8, 2014, Senator Patrick Leahy (D-VT), Chair of the U.S. Senate Judiciary Committee, reintroduced the Personal Data Privacy and Security Act of 2014, comprehensive information security legislation that would establish a national standard for data breach notification and require businesses to safeguard customers’ sensitive personal information from cyber threats. The bill also would establish criminal penalties for individuals who intentionally or willfully conceal a security breach involving personal data when the incident causes economic damage to consumers.
Senator Leahy first introduced the Personal Data Privacy and Security Act in 2005, and he has reintroduced the legislation in each of the previous four Congresses. Key provisions in the bill include:
- criminal penalties for individuals who intentionally or willfully conceal a security breach involving personal data when the breach causes economic damage to consumers;
- a requirement for companies that maintain personal data to establish and implement internal policies to protect data privacy and security; and
- an update to the Computer Fraud and Abuse Act to make attempted computer hacking and conspiracy to commit computer hacking punishable under the same criminal penalties as the underlying offense.
The bill also authorizes the Federal Trade Commission to write and enforce rules requiring companies to protect “personally identifiable information” and to notify consumers in the event of a breach. Violators could face up to $500,000 in civil penalties. The FTC currently lacks explicit congressional authority in this area; data security cases are pursued under Section 5 of the FTC Act, which prohibits “unfair and deceptive” trade practices.
Senator Leahy announced that the issue of data privacy would be the subject of a Judiciary Committee hearing early in the new Senate session. Senator Deb Fischer (R-NE) also called for Congressional action on data security, urging the Senate Committee on Commerce, Science, and Transportation, on which she sits, to take up the issue.