On June 7, 2011, Senator Patrick Leahy (D-VT) introduced the “Personal Data Privacy and Security Act of 2011” (the “Act”), co-sponsored by Senators Charles Schumer (D-NY) and Ben Cardin (D-MD). This marks the fourth time Senator Leahy has introduced ambitious privacy legislation; in 2005, 2007 and 2009, similar bills failed to advance in the Senate. In his press release, Senator Leahy stated that “many recent and troubling data breaches in the private sector and in our government are clear evidence that developing a comprehensive national strategy to protect data privacy and security is one of the most challenging and important issues facing our country.”
Notably, the Act would require certain data brokers, for a “reasonable fee,” to disclose to individuals their personal electronic records that the data broker accesses or maintains specifically for disclosure to third parties. Along with such disclosures, the data broker must include information on procedures for correcting inaccuracies in the records. Specifically, the Act sets forth an “Accuracy Resolution Process” to amend disputed information held by data brokers and derived from public and private sources. The Act also would require parties that take an “adverse action” based on information contained in a personal electronic record to:
- notify the individual of the adverse action,
- provide the individual with the contact information of the data broker from whom the electronic record was obtained,
- disclose the electronic record to the individual, and
- inform the individual how he or she may correct the electronic record used in the action.
As we previously reported, on May 12, 2011, the White House released a cybersecurity legislative proposal that, in part, advocated a national standard for a data breach reporting system. In his statement, Senator Leahy noted that his Act contains a similar national breach notification standard that would require covered businesses and agencies (but not state and local governments) to notify affected individuals by mail, telephone or email of a security breach “without unreasonable delay” following discovery of the breach. Media notices would be required for breaches involving 5,000 or more individuals. Furthermore, businesses and agencies would be required to report to the United States Secret Service and the Federal Bureau of Investigation if a breach:
- affects 10,000 or more people,
- compromises databases containing the information of 1,000,000 or more people, or
- impacts federal databases or concerns federal employees or contractors engaged in national security or law enforcement services.
Under the Act, those who knowingly fail to report security breaches would face both fines and imprisonment. In addition, entities using the electronic or digital records of 10,000 or more individuals would be obligated to develop and implement administrative, technical and physical safeguards designed to protect the data they process.