Main Nav

Personal Data Privacy and Security Act

Sen. Patrick Leahy (D-VT), Chairman of the Senate Judiciary Committee, introduced the Personal Data Privacy and Security Act (S.1151) that would establish a national standard for the notification to consumers by corporations when data breaches occur.

Leahy introduced similar legislation in 2005, 2007 and 2009, and each time the measures cleared the Senate Judiciary Committee but never came up for a vote in the Senate.

The bill would criminalize concealing data breaches that could result in economic damages to consumers and increase penalties under the Computer Fraud and Abuse Act.  The bill also makes hacking or attempting to hack a computer a criminal offense and private firms would be required to establish and maintain data privacy and security protocols.

The legislation among its provisions would nationalize data breach notification under a single law.  The bill would require notice to consumers when their sensitive personal information has been compromised.  The data breach notification provisions would apply to federal agencies as well as private organizations.

The federal breach notification measure, if enacted, would supersede most provisions of state breach notification laws, though a state attorney general could enforce the federal law in federal courts. Leahy's bill does not cover breaches to local and state governments, so states could enforce and enact notification laws covering non-federal government entities.

 Other provisions include:

  • A requirement that companies that maintain personal data establish and implement internal policies to protect data privacy and security;
  • A requirement that the government ensure that the privacy and security of sensitive data is protected when the government contracts with third-party contractors. 

Some findings and definitions (from the legislative language):

  • “Congress finds that – Sec. 2 (5) it is important for business entities that own, use, or license personally identifiable information to adopt reasonable procedures to ensure the security, privacy, and confidentiality of that personally identifiable information
  • Sec. 3 (3) BUSINESS ENTITY.—The term ‘‘business entity’’ means any organization, corporation, trust, partnership, sole proprietorship, unincorporated association, or venture established to make a profit, or nonprofit.
  • Sec. 3 (5) DATA BROKER.—The term ‘‘data broker’’ means a business entity which for monetary fees or dues regularly engages in the practice of collecting, transmitting, or providing access to sensitive personally identifiable information on more than 5,000 individuals who are not the customers or employees of that business entity or affiliate primarily for the purposes of providing such information to nonaffiliated third parties on an interstate basis.
  • Sec. 3 (6) DATA FURNISHER.—The term ‘‘data furnisher’’ means any agency, organization, corporation, trust, partnership, sole proprietorship, unincorporated association, or nonprofit that serves as a source of information for a data broker.”

Tags from the EDUCAUSE Library

Tags from the Community