On Tuesday, February 6, U.S. Sen. Patrick Leahy, D-Vt., and Sen. Arlen Specter, R-Pa., filed legislation,the Personal Data Privacy Act of 2007, that would, among other things, require organizations to notify consumers of security breaches as well as mandate the adoption of internal policies to protect personal data. This bill is generally the same as the bill Leahy proposed in 2005 and then again in 2006.
At a high level the Personal Data Privacy Act of 2007 would:
* make it a crime to intentionally or willfully hide a security breach;
* provide consumer access and correction rights to information held by commercial data brokers;
* require companies to notify authorities of breaches;
* require government agencies to adopt privacy protection rules when agencies use information from commercial data brokers; and
* require audits of government contracts with commercial data brokers.
Leahy provides the following in his statement introducing the bill:
“Summary Of The Leahy‚ÄìSpecter Personal Data Privacy And Security Act Of 2007
Provides new measures to protect the privacy and security of personal data. Provides Americans with notice when they have been harmed, and also addresses the underlying problem of lax security and lack of accountability in dealing with personal data.
Adds unauthorized access to sensitive personally identifiable information to the criminal prohibition against computer fraud under 18 U.S.C. § 1030(a) (2).
Requires data brokers to let individuals know what information they have about them, and where appropriate, allow individuals to correct demonstrated inaccuracies. There are exemptions for products and services already subject to access and correction rules under the Fair Credit Reporting Act, as well as companies subject to Gramm-Leach-Bliley and the Health Information Portability and Accountability Act. In addition, there are also exemptions for proprietary, fraud prevention tools and marketing data.
Requires companies that have databases with personal information on more than 10,000 Americans to establish and implement data privacy and security programs, and vet third-party contractors hired to process data. There are exemptions for companies already subject to data security requirements under Gramm-Leach-Bliley and the Health Information Portability and Accountability Act.
Requires notice to law enforcement, consumers and credit reporting agencies when digitized sensitive personal information has been compromised. The trigger for notice is tied to significant risk of harm with appropriate checks-and-balances to prevent over-notification as well as underreporting. There are exemptions for national security and law enforcement needs, credit card companies using fraud-prevention techniques or where a breach does not result in a
significant risk of harm.
Addresses the government’s use of personal data by: (1) requiring the General Services Administration to evaluate the privacy and security practices of potential government contractors handling personal data, and include penalties in government contracts for failure to protect data privacy and security; (2) requiring Federal departments and agencies to audit the information security practices of commercial data brokers hired for projects involving personal data and include protections and penalties in contracts with data brokers to protect data privacy and security; and (3) requiring Federal departments and agencies to conduct privacy impact assessments on their use of commercial databases to access personal data on U.S. persons, and to adopt regulations to ensure the security and privacy of data obtained through commercial data brokers.
Provides tough monetary penalties for failing to provide privacy and security protections and notices of security breaches, and toughens criminal penalties for those who infiltrate systems to compromise personal data. Also imposes a criminal penalty in the cases were there is intentional and willful concealment of a security breach known to require notice.”
I’m glad to see this covers all types of organizations, including government agencies. It is too bad they have the 10,000 individuals minimum to have a security program in place; I’m sure some organizations will find creative ways to exploit this so that they will not have to establish security programs. Organizations of all sizes that handle personally identifiable information (PII) should have information security in place to safeguard privacy.
It will be interesting to see the actual text of the bill; it has not yet been posted.
Recall that Vermont has had three privacy breaches recently. Just last week in Vermont there was a serious data breach of a computer system used by the Vermont Agency of Human Services. The breach jeopardized the financial data of at least 69,000 Vermonters whose personal financial information was stored on the server.
Along with these, breaches at the federal government level continue, as with yet another one within the Department of Veterans Affairs office that reported Monday, 2/5, that they had lost a portable hard drive containing the sensitive personal information on as many as 48,000 veterans.
After three years of almost daily reports of privacy breaches, the momentum exists to get this bill passed this time around.
Tags: awareness and training, government, Information Security, IT compliance, Leahy, personal privacy, policies and procedures, privacy, privacy breach, privacy law