On June 7, 2011, Senator Patrick Leahy introduced “The Personal Data Privacy and Security Act” — the fourth time he has introduced this particular piece of legislation. According to the senator’s press release, the law would “establish a national standard for data breach notification, and require American businesses that collect and store consumers’ sensitive personal information to safeguard that information from cyber threats.” This latest reincarnation of the law was likely prodded by the White House’s recent legislative call to action — a call to action that had listed first a national data breach notification law.
The 70 page bill proposes significant changes to existing laws – many of which make sense now that the theft of personal data has become a mainstay of organized crime. For example, as recommended by the recent White House proposal, it amends the Computer Fraud and Abuse Act to add RICO-like language. There are also significant obligations for data brokers as well as money penalties assessed to data brokers who violate these obligations. Throughout the proposed law; and including the section regarding data broker duties, state attorney generals are given broad powers to bring civil actions and can obtain significant money penalties for violations of the law.
Another section of the proposed law seeks to ensure that any business “engaging in interstate commerce that involves collecting, accessing, transmitting, using, storing, or disposing of sensitive personally identifiable information in electronic or digital form on 10,000 or more United States persons” must adhere to “standards for developing and implementing administrative, technical, and physical safeguards to protect the security of sensitive personally identifiable information.” Unlike the Red Flags regulations promulated by the FTC and subsequently clarified by Congress, these requirements would reach beyond creditors. And, those businesses already subject to existing data safeguarding laws such as HIPAA and Gramm-Leach-Bliley would be exempt from these new requirements. Violations of this section would bring with it significant money penalties as well as possible enforcement by either the FTC or state attorney generals. As with the other sections of the proposed law, there is no private right of action.
The final section of the proposed law provides for nationwide data breach notification which generally requires that all subject breaches be reported without unreasonable delay. Again, state attorney generals are given broad enforcement rights:
The Attorney General may bring a civil action in the appropriate United States district court against any business entity that engages in conduct constituting a violation of this subtitle and, upon proof of such conduct by a preponderance of the evidence, such business entity shall be subject to a civil penalty of not more than $1,000 per day per individual whose sensitive personally identifiable information was, or is reasonably believed to have been, accessed or acquired by an unauthorized person, up to a maximum of $1,000,000 per violation, unless such conduct is found to be willful or intentional.
Without the ability to bring a private right of action, these enforcement powers and penalties still only indirectly stir the class action pot.
Of the many competing privacy and data security laws being offered up in Congress, it remains to be seen which is the front runner. Given that both parties have endorsed a federal breach notification law that would serve to harmonize the 47 state breach notice laws and this one apparently seeks to combine the best of current state law, it seems at least the breach notification section of Leahy’s proposed law might have a chance of passing both houses. As well, this proposed law is not likely to upset privacy advocates given the Department of Commerce is given no new powers. Most importantly, given that it has much of what was outlined in the recent White House proposal, the entire proposed law would likely be signed into law by the President. For good or for bad, with only 40 legislative days left before the election that wouldn’t be happening any time soon.