[Senate Report 111-110]
[From the U.S. Government Publishing Office]
Calendar No. 208
111th Congress Report
SENATE
1st Session 111-110
======================================================================
PERSONAL DATA PRIVACY AND SECURITY ACT OF 2009
_______
December 17, 2009.--Ordered to be printed
_______
Mr. Leahy, from the Committee on the Judiciary, submitted the following
R E P O R T
[To accompany S. 1490]
[Including cost estimate of the Congressional Budget Office]
The Committee on the Judiciary, to which was referred the
bill (S. 1490), to prevent and mitigate identity theft, to
ensure privacy, to provide security protections for personal
data, to provide notice of security breaches, and to enhance
criminal penalties, law enforcement assistance, and other
protections against security breaches, fraudulent access, and
misuse of personally identifiable information, having
considered the same, reports favorably thereon, with an
amendment, and recommends that the bill, as amended, do pass.
CONTENTS
Page
I. Background and Purpose of the Personal Data Privacy and Security
Act of 2009......................................................1
II. History of the Bill and Committee Consideration..................8
III. Section-by-Section Summary of the Bill..........................10
IV. Congressional Budget Office Cost Estimate.......................18
V. Regulatory Impact Evaluation....................................23
VI. Conclusion......................................................23
VII. Minority Views..................................................25
VIII.Changes to Existing Law Made by the Bill, as Reported...........30
I. Background and Purpose of the Personal Data Privacy and Security Act
of 2009
A. SUMMARY
Advanced technologies, combined with the realities of the
post-9/11 digital era, have created strong incentives and
opportunities for collecting and selling personal information
about ordinary Americans. Today, private sector and
governmental entities alike routinely traffic in billions of
electronic personal records about Americans. Americans rely on
this data to facilitate financial transactions, provide
services, prevent fraud, screen employees, investigate crimes,
and find loved ones. The Government also relies upon this
information to enhance national security and to combat crime.
The growing market for personal information has also become
a treasure trove that is both valuable and vulnerable to
identity thieves. As a result, the consequences of a data
security breach can be quite serious. For Americans caught up
in the endless cycle of watching their credit unravel, undoing
the damage caused by security breaches and identity theft can
become a time-consuming and lifelong endeavor. In addition,
while identity theft is a major privacy concern for most
Americans, the use and collection of personal data by
Government agencies can have an even greater impact on
Americans' privacy. The loss or theft of Government data can
potentially expose ordinary citizens, Government employees, and
members of the armed services alike to national security and
personal security threats.
Despite these well-known dangers, the Nation's privacy laws
lag far behind the capabilities of technology and the cunning
of identity thieves. The Personal Data Privacy and Security Act
of 2009 is a comprehensive, bipartisan privacy bill that seeks
to close this privacy gap, by establishing meaningful national
standards for providing notice of data security breaches, and
addressing the underlying problem of lax data security, to make
it less likely for data security breaches to occur in the first
place.
B. THE GROWING PROBLEM OF DATA SECURITY BREACHES AND IDENTITY THEFT
According to the Privacy Rights Clearinghouse, more than
340 million records containing sensitive personal information
have been involved in data security breaches since 2005.\1\
Since the Personal Data Privacy and Security Act was first
reported by the Judiciary Committee in November 2005, there
have been at least 599 different data security breaches in the
United States, affecting millions of American consumers.\2\ For
example, in January 2009, Heartland Payment Systems, one of the
Nation's leading processors of credit and debit card
transactions, announced that its processing system records
containing more than 130 million credit card accounts had been
breached by hackers. In January 2007, mega-retailer TJX
disclosed that it suffered a data breach affecting at least
45.7 million credit and debit cards.\3\ These data breaches
follow many other commercial data breaches, collectively
affecting millions of Americans, including data security
breaches at ChoicePoint and LexisNexis.
---------------------------------------------------------------------------
\1\See ``Privacy Rights Clearinghouse Chronology of Data
Breaches,'' available at http://www.privacyrights.org/.
\2\Id.
\3\``Breach of data at TJX is called the biggest ever, Stolen
numbers put at 45 .7 million,'' Boston Globe, March 29, 2007.
---------------------------------------------------------------------------
Federal Government agencies have also suffered serious data
security breaches. In February 2009, the Federal Aviation
Administration revealed that computer hackers breached one of
its servers and stole sensitive personal information concerning
45,000 current and former FAA employees.\4\ In June 2008,
Walter Reed Medical Center reported that the personal
information of 1,000 Military Health System beneficiaries may
have been improperly disclosed through the unauthorized sharing
of data.\5\ In May 2006, the Department of Veterans Affairs
lost an unsecured laptop computer hard drive containing the
health records and other sensitive personal information of
approximately 26.5 million veterans and their spouses.\6\ And,
in May, 2007, the Transportation Security Administration (TSA)
reported that the personal and financial records of 100,000 TSA
employees were lost after a computer hard drive was reported
missing from the Agency's headquarters, exposing the Department
of Homeland Security to potential national security risks.\7\
---------------------------------------------------------------------------
\4\``FAA Breach Heightens Cybersecurity Concerns,'' Federal
Computer Week, February 23, 2009.
\5\``Walter Reed: Data Breach at Military Hospitals,'' The
Associated Press, June 3, 2008.
\6\See Testimony of the Honorable James Nicholson, Secretary of
Veterans Affairs, before the House Committee on Government Reform, June
8, 2006.
\7\See ``TSA seeks hard drive, personal data for 100,000,'' USA
Today, May 5, 2007; see also, the Federal Times, ``Union Sues TSA over
loss of data on employees,'' May 9, 2007.
---------------------------------------------------------------------------
The steady wave of data security breaches in recent years
is a window into a broader, more challenging trend. Insecure
databases are now low-hanging fruit for hackers looking to
steal identities and commit fraud. Lax data security is also a
threat to American businesses. The President's recent report on
Cyberspace Policy Review noted that industry estimates of
losses from intellectual property to data theft in 2008 range
as high as $1 trillion.\8\ Because data security breaches
adversely affect many segments of the American community, a
meaningful solution to this growing problem must carefully
balance the interests and needs of consumers, business, and the
Government.
---------------------------------------------------------------------------
\8\``President's Report on Cyberspace Policy Review,'' May 29,
2009, at page 2.
---------------------------------------------------------------------------
C. THE PERSONAL DATA PRIVACY AND SECURITY ACT OF 2009
The Personal Data Privacy and Security Act of 2009 takes
several meaningful and important steps to balance the interests
and needs of consumers, business, and the Government in order
to better protect Americans sensitive personal data. This
legislation is supported by a wide range of consumer, business,
and Government organizations, including, the United States
Secret Service, the Federal Trade Commission, Microsoft, the
Business Software Alliance, Consumer Federation of America,
Consumers Union, the American Federation of Government
Employees, Facebook, the Center for Democracy & Technology, and
the ACLU.
1. Access and correction
First, to provide consumers with tools that enable them to
guard against identity theft, the bill gives consumers the
right to know what sensitive personal information commercial
data brokers have about them. In addition, the bill extends the
protections afforded under the Fair and Accurate Credit
Transactions Act (FACTA) to this data, by allowing consumers to
correct their personal information if it is inaccurate. Under
circumstances where a business entity makes an adverse decision
based on information provided to it by a data broker, the bill
also requires that the business entity notify the consumer of
the adverse decision and provide the consumer with the
information needed to contact the data broker and correct the
information. There is an exemption to this requirement for
fraud databases, to ensure that the Government can detect and
combat fraud. The right of consumers to access and correct
their own sensitive personal data is a simple matter of
fairness. The principles of access and correction incorporated
in the bill have precedent in the credit reporting industry
context and these principles have been adapted to the data
broker industry.
2. Data Security Program
Second, the bill recognizes that, in the Information Age,
any company that wants to be trusted by the public must earn
that trust by vigilantly protecting the information that it
uses and collects. The bill takes important steps to accomplish
this goal, by requiring that companies that have databases with
sensitive personal information on more than 10,000 Americans
establish and implement a data privacy and security program.
There are exemptions to this requirement for companies already
subject to data security requirements under the Gramm-Leach-
Bliley (GLB) Act and the Health Information Portability and
Accountability (HIPAA) Act.
3. Notice
Third, because American consumers should know when they are
at risk of identity theft, or other harms because of a data
security breach, the bill also requires that business entities
and Federal agencies promptly notify affected individuals and
law enforcement when a data security breach occurs. Armed with
such knowledge, consumers can take steps to protect themselves,
their families, and their personal and financial well-being.
The trigger for notice to individuals is ``significant risk of
harm,'' and this trigger includes appropriate checks and
balances to prevent over-notification and underreporting of
data security breaches.
In this regard, the bill recognizes that there are harms
other than identity theft that can result from a data security
breach, including harm from other financial crimes, stalking,
and other criminal activity. Consequently, the bill adopts a
trigger of ``significant risk of harm,'' rather than a weaker
trigger of ``significant risk of identity theft,'' for the
notice requirement for individuals in the legislation.\9\ There
are exemptions to the notice requirements for individuals for
national security and law enforcement reasons, as well as an
exemption to this requirement for credit card companies that
have effective fraud-prevention programs.\10\ The bill
contemplates that a reasonable delay of notice could include
the time necessary for a victim company to conduct a risk
assessment under Section 302(a)(3).
---------------------------------------------------------------------------
\9\A notice trigger based upon ``significant risk of identity
theft'' would weaken the notice provisions in S. 1490 and such a
standard would also fail to adequately protect consumers. First, the
weaker ``significant risk of identity theft'' standard only requires
notification of consumers when a business entity or Federal agency
affirmatively finds that there is a significant risk of the specific
crime of identity theft. In addition, as discussed above, there are
other harms that could result from data security breaches, such as
stalking, physical harm, or threats to national security, that are not
addressed or covered under a notice standard based solely on the risk
of identity theft.
\10\Some have incorrectly argued that S. 1490 will result in over-
notification of consumers and in a lack of clarity for business. To the
contrary, the bill contains meaningful checks and balances, including
the risk assessment and financial fraud prevention provisions in
Section 312, to prevent over-notification and the underreporting of
data security breaches. The risk assessment provision in Section
312(b), furthermore, provides businesses with an opportunity to fully
evaluate data security breaches when they occur, to determine whether
notice should be provided to consumers. In addition, the bill
complements and properly builds upon other Federal statutes governing
data privacy and security to ensure clarity for business in this area.
For example, to avoid conflicting obligations regarding the bill's data
security program requirements, Section 301(c) specifically exempts
financial institutions that are already subject to, and complying with,
the data privacy and security requirements under GLB, as well as HIPAA-
regulated entities. The bill also builds upon existing Federal laws and
guidance, such as the data security protections established by the
Office of the Comptroller of the Currency for financial institutions
and the access and correction provisions in the Fair Credit Reporting
Act and the Fair and Accurate Credit Transactions Act, to clarify the
obligations of business.
---------------------------------------------------------------------------
In addition, to strengthen the tools available to law
enforcement to investigate data security breaches and to combat
identity theft, the bill also requires that business entities
and Federal agencies notify the Secret Service of a data
security breach within 14 days of the occurrence of the breach.
This notice will provide law enforcement with a valuable head
start in pursuing the perpetrators of cyber intrusions and
identity theft. The bill also empowers the Secret Service to
obtain additional information about the data breach from
business entities and Federal agencies to determine whether
notice of the breach should be given to consumers and other law
enforcement agencies. This mechanism gives businesses and
agencies certainty as to their legal obligation to provide
notice and prevents them from sending notices when they are
unnecessary, which over time, could result in consumers
ignoring such notices. The notice of breach provisions for
electronic health records that Congress enacted in the American
Reinvestment and Recovery Act (ARRA) apply to information that
is accessed or disclosed from personal health records. The
notice of breach provisions in this bill are not intended to
preempt the notice requirements established by ARRA.
The bill also recognizes the benefits of separating the
notice obligations of owners of personally identifiable
information and third parties who use and manage personally
identifiable information on the owner's behalf. The bill
imposes an obligation on third parties that suffer a data
security breach to notify the owners or licensees of the
personally identifiable information, who would, in turn, notify
consumers. If the owner or licensee of the data gives notice of
the breach to the consumer, then the breached third party does
not have to give notice. The bill also states that it does not
abrogate any agreement between a breached entity and a data
owner or licensee to provide the required notice in the event
of a breach. Separating the notice obligations between data
owners and licensees, and third parties, will encourage data
owners and licensees to address the notice obligation in
agreements with third parties and will help to ensure that
consumers will receive timely notice from the entity with which
they have a direct relationship and would recognize upon
receiving such notice, in the event of a data security breach.
However, this notice can only be effective if the entity which
suffers the breach, and any other third parties, provide to the
entity who will give the notice complete and timely information
about the nature and scope of the breach and the identity of
the entity breached.
4. Enforcement
Fourth, this legislation also establishes tough, but fair,
enforcement provisions to punish those who fail to notify
consumers of a data security breach, or to maintain a data
security program. The bill makes it a crime for any individual,
with knowledge of the obligation to provide notice of a
security breach, to intentionally and willfully conceal the
breach that subsequently causes economic harm to consumers.
Violators of this provision are subject to a criminal fine
under title 18, or imprisonment of up to five years, or both.
This provision is no more onerous than criminal provisions for
other types of fraudulent conduct which causes similar harm to
individuals.
The bill also contains strong civil enforcement provisions.
The bill authorizes the Federal Trade Commission (FTC) to bring
a civil enforcement action for violations of the data security
program requirements in the bill and to recover a civil penalty
of not more than $5,000 per violation, per day and a maximum
penalty of $500,000 per violation.\11\ In addition, the bill
authorizes State Attorneys General, or the U.S. Attorney
General, to bring a civil enforcement action against violators
of the notice requirements in the bill and to recover a civil
penalty of not more than $1,000 per individual, per day and a
maximum penalty of $1,000,000 per violation, unless the
violation is willful or intentional. It is not uncommon for
Congress to authorize both Federal and State regulators to
enforce Federal consumer protection laws. In fact, Federal
antitrust laws, the CAN-SPAM Act (Controlling the Assault of
Non-
Solicited Pornography and Marketing Act of 2003), and the
Communications Act of 1934 also authorize State Attorneys
General to seek damages or to enjoin further Federal law
violations. The State enforcement provisions in this bill are
modeled after those laws.
---------------------------------------------------------------------------
\11\Double penalties may be recovered for intentional or willful
violations of this provision.
---------------------------------------------------------------------------
The bill authorizes the Secret Service to investigate data
security breaches and to provide guidance to companies that
have been the victim of a data security breach on their notice
obligations under the bill. Since 1984, Congress has provided
statutory authority for the Secret Service to investigate a
wide range of financial crimes, including offenses under 18
U.S.C. Sec. 1028 (false identification fraud), Sec. 1029
(access device fraud) and Sec. 1030 (computer fraud). In the
last two decades, the Secret Service has conducted more than
733,000 financial fraud and identity theft investigations
involving these statutes, leading to the prosecution of more
than 116,000 individuals.\12\ Pursuant to the notice
requirements in the bill, the Secret Service's Criminal
Intelligence Section would analyze, coordinate and monitor all
data breach investigations reported to it by victim companies.
---------------------------------------------------------------------------
\12\See Secret Service White Paper, ``Data Broker Legislation--S.
1490,'' May 2007.
---------------------------------------------------------------------------
When the Criminal Intelligence Section receives
notification of a data breach, it would immediately analyze the
information and refer the case to the appropriate field office
and/or electronic/financial crimes task force, for
investigation and prosecution. Throughout this process, the
Criminal Intelligence Section would stand ready to support the
victim company, investigating field office or task force, and
prosecuting U.S. Attorney's Office as needed. The Criminal
Intelligence Section would also coordinate with the Computer
Crime and Intellectual Property Sections (CCIPS) of the
Department of Justice to ensure proper and timely response
through the Federal judicial system, regardless of where the
data breach occurred. In addition, the Criminal Intelligence
Section would have the responsibility of notifying Federal law
enforcement and State Attorneys General as mandated by the
legislation.
Section 316(b) of the bill expressly requires that the FBI
must be notified of any data security breach that involves
espionage, foreign counterintelligence, or national security
matters. Under title 18, section 1030(d)(1), the Secret Service
and FBI have concurrent jurisdiction to investigate Section
1030 violations relating to false identification fraud, access
device fraud, and computer fraud. Section 1030 designates the
FBI as the primary investigative agency for such offenses if
they involve espionage, foreign counterintelligence, and other
national security matters. Accordingly, the bill incorporates
this requirement in the context of breach notice, so that the
FBI is promptly notified of any data breach matters that
involve espionage, foreign counterintelligence, or national
security.
5. Preemption
The legislation also carefully balances the need for
Federal uniformity in certain data privacy laws and the
important role of States as leaders on privacy issues. Section
304 of the bill (relation to other laws) preempts State laws
with respect to requirements for administrative, technical, and
physical safeguards for the protection of sensitive personally
identifying information. These requirements, which are referred
to in this Section, are the same requirements set forth in
Section 302 of the bill.
Section 319 of the bill (effect on Federal and State laws)
also preempts State laws on breach notification. However, in
recognition of the important role that the States have played
in developing breach notification, the bill carves out an
exception to preemption for State laws regarding providing
consumers with information about victim protection assistance
that is provided for by the State.
In addition, Section 319 of the bill provides that the
notice requirements in S. 1490 supersede ``any provision of law
of any State relating to notification of a security breach,
except as provided in Section 314(b) of the bill.'' The bill's
subtitle on security breach notification applies to ``any
agency, or business entity engaged in interstate commerce,''
and the term ``agency'' is defined in the bill by referencing
section 551 of title 5, United States Code, which pertains to
Federal Governmental entities. As a result, the security breach
notification requirements in the bill have no application to
State and local governmental entities, and the Committee does
not intend for this provision to preempt or displace State laws
that address obligations of State and local governmental
entities to provide notice of security breach.
6. Government Use
Finally, the bill establishes important new checks on the
Government's use of personal data. In July 2009, the Government
Accountability Office (GAO) released a new report on Government
information security policies that found persistent weaknesses
in Federal agency data security policies and practices.\13\
According to the report, all 24 of the major Federal agencies
had weaknesses in their information security controls.\14\ To
address these concerns, the bill requires that Federal agencies
consider whether data brokers can be trusted with Government
contracts that involve sensitive information about Americans
before awarding Government contracts. The bill also requires
that Federal agencies audit and evaluate the information
security practices of Government contractors and third parties
that support the information technology systems of Government
agencies. In addition, the bill requires that Federal agencies
adopt regulations that specify the personnel allowed to access
Government data bases containing personally identifiable
information and adopt regulations that establish the standards
for ensuring, among other things, the legitimate Government use
of sensitive personal information.\15\
---------------------------------------------------------------------------
\13\See Report of the U.S. Government Accountability Office,
``Information Security: Agencies Continue to Report Progress, but Need
to Mitigate Persistent Weaknesses,'' (July 2009).
\14\Id.
\15\In their accompanying views, the Minority makes several
arguments in opposition to the bill that are without merit. First, the
arguments that the bill's definitions for ``sensitive personally
identifiable information'' and ``security breach'' are too broad are
wholly unfounded. The Committee crafted the definition for sensitive
personally identifiable information after careful consultation with the
United States Secret Service, the FTC and several consumer
organizations that have had significant experience with the kinds of
information that is most vulnerable to identity theft and other cyber
crimes. Moreover, the definition of security breach is fully consistent
with other Federal computer fraud and privacy laws. See, e.g.,
Sec. Sec. 18 U.S.C. 1030 (a)(2) and (3) (Computer Fraud and Abuse Act);
18 U.S.C. Sec. Sec. 2510(4) (definition of ``intercept'' means ``the
aural or other acquisition of the contents of any wire, electronic, or
oral communication through the use of any electronic, mechanical, or
other device.''). The Minority also incorrectly states that the bill
does not exempt entities that are already regulated by other Federal
laws governing data privacy and security. Section 201(b) of the bill
clearly and expressly exempts FCRA, GLB and HIPPA-regulated entities
from the transparency and accuracy provisions of the bill. Moreover,
section 301(c) expressly exempts GLB and HIPPA-regulated entities from
the data privacy and security program requirements in the bill. Lastly,
the notion that the bill should exclude all law enforcement and
counterterrorism programs from the privacy impact assessment
requirements in the bill is simply without merit. The Minority cites no
evidence to demonstrate that privacy impact assessments posed a unique
concern for Federal agencies that are engaged in law enforcement or
counterterrorism activities. To the contrary, many Federal agencies
already conduct privacy impact assessments for these kinds of programs,
to the benefit of all Americans.
---------------------------------------------------------------------------
II. History of the Bill and Committee Consideration
A. INTRODUCTION OF THE BILL
Chairman Leahy introduced the Personal Data Privacy and
Security Act of 2009 on July 22, 2009. This bipartisan,
comprehensive privacy bill is cosponsored by Senators Specter,
Hatch, Schumer, Durbin, Feingold, Cardin, and Brown.
This legislation is very similar to the Personal Data
Privacy and Security Act of 2007, S. 495, which Senators Leahy
and Specter introduced on July 6, 2007 and to the Personal Data
Privacy and Security Act of 2005, S. 1789, which Senators Leahy
and Specter introduced on September 29, 2005. The Judiciary
Committee favorably reported S. 495 on May 3, 2007 by voice
vote and S. 1789 on November 17, 2005, by a bipartisan vote of
13 to 5.
The Committee has held three hearings related to S. 1490.
On April 13, 2005, the Judiciary Committee held a hearing
titled, ``Securing Electronic Personal Data: Striking a Balance
between Privacy and Commercial and Governmental Use.'' This
hearing examined the practices and weaknesses of the rapidly
growing data broker industry and, in particular, how data
brokers were handling the most sensitive personal information
about Americans. The hearing also explored how Congress could
establish a sound legal framework for future data privacy
legislation that would ensure that privacy, security, and civil
liberties will not be pushed aside in the new Digital Age. The
following witnesses testified at this hearing: Deborah Platt
Majoras, Chairman of the Federal Trade Commission; Chris
Swecker, Assistant Director for the Criminal Investigative
Division at the Federal Bureau of Investigation; Larry D.
Johnson, Special Agent in Charge of the Criminal Investigative
Division of the U.S. Secret Service; William H. Sorrell,
President of the National Association of Attorneys General;
Douglas C. Curling, President, Chief Operating Officer, and
Director of ChoicePoint, Inc.; Kurt P. Sanford, President & CEO
of the U.S. Corporate & Federal Markets LexisNexis Group;
Jennifer T. Barrett, Chief Privacy Officer of Acxiom Corp.;
James X. Dempsey, Executive Director of the Center for
Democracy & Technology; and Robert Douglas, CEO of
PrivacyToday.com.
On March 21, 2007, the Judiciary Committee's Subcommittee
on Terrorism, Technology and Homeland Security held a hearing
titled, ``Identity Theft: Innovative Solutions for an Evolving
Problem.'' This hearing examined the problem of identity theft
and legislative solutions to this problem, and discussed the
need for Federal legislation on data breach notification. The
following witnesses testified at this hearing: Ronald Tenpas,
Associate Deputy Attorney General, United States Department of
Justice; Lydia Parnes, Director, Bureau of Consumer Protection,
Federal Trade Commission; James Davis, Chief Information
Officer and Vice Chancellor for Information Technology,
University of California, Los Angeles; Joanne McNabb, Chief,
California Office of Privacy Protection; and Chris Jay
Hoofnagle, Senior Staff Attorney, Samuelson Law, Technology &
Public Policy Clinic, School of Law (Boalt Hall), University of
California, Berkeley.
On January 27, 2009, the Committee held a hearing titled,
``Health IT: Protecting Americans' Privacy in the Digital
Age.'' This hearing examined best practices for protecting
electronic health records and for protecting Americans' health
privacy. The following witnesses appeared at that hearing:
Adrienne Hahn, Senior Attorney and Program Manager for Health
Policy, Consumers Union; James Hester, Jr. Ph.D., Director,
Health Care Reform Commission, Vermont State Legislature; Deven
McGraw, Director, Health Privacy Project, Center for Democracy
and Technology; Michael Stokes, Principal Lead Program Manager,
HealthVault, Microsoft Corporation; John Houston, Vice
President of Information Security and Privacy, University of
Pittsburgh Medical Center; and David Merritt, Project Director,
Center for Health Transformation and the Gingrich Group.
B. COMMITTEE CONSIDERATION
On October 23, 2009, S. 1490 was placed on the Judiciary
Committee's agenda. The Committee considered this legislation
on November 5, 2009.
During the Committee's consideration of S. 1490, three
amendments to the bill were offered and one amendment was
unanimously adopted by the Committee:
First, the Committee adopted, without objection, a
manager's amendment to S. 1490 which Chairman Leahy offered on
behalf of himself and Senator Specter. The manager's amendment
clarifies enforcement provisions in the bill, including: (1)
adding a fraud data base exemption to the provisions allowing
consumers to access and correct their personal data; (2)
clarifying that the FTC has the authority to enforce the civil
enforcement provisions in the bill with respect to business
entities; (3) harmonizing the notice of breach provisions in
the bill; (4) striking the provision establishing an Office of
Federal Identity Protection within the FTC; (5) clarifying the
definition of encryption and the standards for the data privacy
and security program safe harbor; and (6) amending the
definition of security breach to clarify that fraud is a harm
that the bill seeks to prevent and address.
The Committee rejected by a vote of 6 to 13 an amendment
offered by Senator Sessions (GRA09859) which would limit the
information included in the definition of ``security breach.''
The Committee rejected by a vote of 7 to 12 an amendment
offered by Senator Kyl (GRA09884) which would create an
exception to the requirement that that Federal agencies appoint
a Chief Privacy Officer and conduct privacy impact assessments
for law enforcement and national security matters.
The Committee then voted to report the Personal Data
Privacy and Security Act of 2009, as amended, favorably to the
Senate. The Committee proceeded by roll call vote as follows:
Tally: 14 Yeas, 5 Nays
Yeas (14): Cardin (D-MD), Durbin (D-IL), Feingold (D-WI),
Feinstein (D-CA), Franken (D-MN), Grassley (R-IA), Hatch (R-
UT), Kaufman (D-DE), Klobuchar (D-MN), Kohl (D-WI), Leahy (D-
VT), Schumer (D-NY), Specter (D-PA), Whitehouse (D-RI).
Nays (5): Coburn (R-OK), Cornyn (R-TX), Graham (R-SC), Kyl
(R-AZ), Sessions (R-AL).
III. Section-by-Section Summary of the Bill
Section 1. Short title
This section provides that the legislation may be cited as
the ``Personal Data Privacy and Security Act of 2009.''
TITLE I--ENHANCING PUNISHMENT FOR IDENTITY THEFT AND OTHER VIOLATIONS
OF DATA PRIVACY AND SECURITY
Section 101. Organized criminal activity in connection with
unauthorized access to personally identifiable information
Section 101 amends 18 U.S.C. 1961(1) to add intentionally
accessing a computer without authorization to the definition of
racketeering activity.
Section 102. Concealment of security breaches involving personally
identifiable information
Section 102 makes it a crime for a person who knows of a
security breach requiring notice to individuals under title III
of this Act, and of the obligation to provide such notice, to
intentionally and willfully conceal the fact of, or information
related to, that security breach. Punishment is either a fine
under title 18, or imprisonment of up to 5 years, or both.
Section 103. Review and amendment of Federal sentencing guidelines
related to fraudulent access to or misuse of digitized or
electronic personally identifiable information
Section 103 requires the U.S. Sentencing Commission to
review and, if appropriate, amend the Federal sentencing
guidelines for persons convicted of using fraud to access, or
to misuse, digitized or electronic personally identifiable
information, including sentencing guidelines for the offense of
identity theft or any offense under 18 U.S.C. Sec. Sec. 1028,
1028A, 1030, 1030A, 2511, and 2701.
Section 104. Effects of identity theft on bankruptcy proceedings
Section 104 amends 11 U.S.C. Sec. Sec. 101 and 707(b) to
exempt debtors from section 707(b)(2) means testing under the
Bankruptcy Abuse Prevention and Consumer Protection Act, if the
debtor's financial problems were caused by identity theft. This
section requires that, to be eligible for this exemption, the
identity theft must result in at least $20,000 in debt in one
year, 50 percent of the debtor's bankruptcy claims, or 25
percent of the debtor's gross income for a 12-month period. The
purpose of this provision is to ensure that victims who incur
debts due to identity theft have all available protections
under the bankruptcy code.
TITLE II--DATA BROKERS
Title II addresses the data brokering industry that has
come of age, prompted by technology developments and changes in
marketplace incentives. Data brokers collect and sell billions
of private and public records about individuals, including
personal, financial, insurance, medical and ``lifestyle'' data,
as well as other sensitive information, such as details on
neighbors and relatives, or even digital photographs of
individuals. Companies like ChoicePoint, LexisNexis, and
Acxiom, which are generally regarded as leaders in this
industry, use this information to provide a variety of products
and services, including fraud prevention, identity
verification, background screening, risk assessments,
individual digital dossiers, and tools for analyzing data.
Although some of the products and services offered by data
brokers are subject to existing privacy and security
protections aimed at credit reporting agencies and the
financial industry under the Fair Credit Reporting Act (FCRA)
and Gramm-Leach-Bliley (GLB), many are not subject to such
protections. In addition, there has been insufficient oversight
of the industry's practices, including the accuracy and
handling of sensitive data. These concerns have been
highlighted by numerous reports of harm caused by inaccurate
data records. This title draws from the principles in FCRA and
GLB to close these loopholes.
Section 201. Transparency and accuracy of data collection
Section 201 applies disclosure and accuracy requirements to
data brokers that engage in interstate commerce and offer any
product or service to third parties that allows access to, or
use, compilation, distribution, processing, analyzing or
evaluating of personally identifiable information. Section 201
requirements are not applicable to products and services
already subject to similar disclosure and accuracy provisions
under FCRA and GLB, and implementing regulations.
Section 201 requires data brokers to disclose to
individuals, upon their request and for a reasonable fee, all
personal electronic records pertaining to that individual that
the data broker maintains for disclosure to third parties.
Section 201 also requires data brokers to establish a fair
process for individuals to dispute, flag or correct
inaccuracies in any information that was not obtained from a
licensor or public record. Modeled after section 611 of FCRA,
section 201 requires data brokers to: (1) investigate disputed
information within 30 days; (2) notify any data furnishers who
provided disputed information and identify such data furnishers
to the individual disputing the information; (3) provide notice
to individuals on dispute resolution procedures and the status
of dispute investigations, including whether the dispute was
determined to be frivolous or irrelevant, whether the disputed
information was confirmed to be accurate, or whether the
disputed information was deleted as inaccurate; and (4) allow
individuals to include a statement of dispute in the electronic
records containing the disputed personal information. If the
information was obtained from a licensor or public record, the
data broker must provide the individual with contact
information for the source of the data.
Section 201 also provides that, under circumstances where a
person or business takes an adverse action regarding a
consumer, which is based in whole or in part on data maintained
by a data broker, the person or business must notify the
consumer in writing of the adverse action and provide contact
information for the data broker that furnished the information,
a copy of the information at no cost and the procedures for
correcting such information. There is an exemption for fraud
databases.
Section 202. Enforcement
A data broker that violates the access and correction
provisions of section 201 is subject to penalties of $1,000 per
violation per day with a maximum penalty of $250,000 per
violation. A data broker that intentionally or willfully
violates these provisions is subject to additional penalties of
$1,000 per violation per day, with a maximum of an additional
penalty of $250,000 per violation.
The Federal Trade Commission (FTC) will enforce section 202
and may bring an enforcement action to recover penalties under
this provision. States have the right to bring civil actions
under this section on behalf of their residents in U.S.
district courts, and this section requires that States provide
advance notice of such court proceedings to the FTC, where
practicable. The FTC also has the right to stay any State
action brought under this section and to intervene in a State
action.
Section 203--Relation to State Laws
Section 203 preempts State laws with respect to the access
and correction of personal electronic records held by data
brokers.
Section 204--Effective Date
Section 204 provides that title II will take effect 180
days after the date of the enactment of the Personal Data
Privacy and Security Act.
TITLE III--PRIVACY AND SECURITY OF PERSONALLY IDENTIFIABLE INFORMATION
SUBTITLE A--A DATA PRIVACY AND SECURITY PROGRAM
Section 301. Purpose and Applicability of Data Privacy and Security
Program
Section 301 addresses the data privacy and security
requirements of section 302 for business entities that compile,
access, use, process, license, distribute, analyze or evaluate
personally identifiable information in electronic or digital
form on 10,000 or more U.S. persons. Section 301 exempts from
the data privacy and security requirements of section 302
businesses already subject to, and complying with, similar data
privacy and security requirements under GLB and implementing
regulations, as well as examination for compliance by Federal
functional regulators as defined in GLB, and HIPAA regulated
entities.
Section 302. Requirements for a Data Privacy and Security Program
Section 302 requires covered business entities to create a
data privacy and security program to protect and secure
sensitive data. The requirements for the data security program
are modeled after those established by the Office of the
Comptroller of the Currency for financial institutions in its
Interagency Guidelines Establishing Standards for Safeguarding
Customer Information, 12 C.F.R. Sec. 30.6 Appendix B (2005).
A data privacy and security program must be designed to
ensure security and confidentiality of personal records,
protect against anticipated threats and hazards to the security
and integrity of personal electronic records, protect against
unauthorized access and use of personal records, and ensure
proper back-up storage and disposal of personally identifiable
information. In addition, section 302 requires a covered
business entity to: (1) regularly assess, manage and control
risks to improve its data privacy and security program; (2)
provide employee training to implement its data privacy and
security program; (3) conduct tests to identify system
vulnerabilities; (4) ensure that overseas service providers
retained to handle personally identifiable information, but
which are not covered by the provisions of this Act, take
reasonable steps to secure that data; and (5) periodically
assess its data privacy and security program to ensure that the
program addresses current threats. Section 302 also requires
that the data security program include measures that allow the
data broker to: (1) track who has access to sensitive
personally identifiable information maintained by the data
broker; and (2) ensure that third parties or customers who are
authorized to access this information have a valid legal reason
for accessing or acquiring the information.
Section 303. Enforcement
Section 303 gives the FTC the right to bring an enforcement
action for violations of sections 301 and 302 in subtitle A.
Business entities that violate sections 301 and 302 are subject
to a civil penalty of not more than $5,000 per violation, per
day and a maximum penalty of $500,000 per violation.
Intentional and willful violations of these sections are
subject to an additional civil penalty of $5,000 per violation,
per day and an additional maximum penalty of $500,000 per
violation. This section also grants States the right to bring
civil actions on behalf of their residents in U.S. district
courts, and requires States to give advance notice of such
court proceedings to the FTC, where practicable. There is no
private right of action under this subtitle.
Section 304. Relation to other laws
Section 304 preempts State laws relating to administrative,
technical, and physical safeguards for the protection of
sensitive personally identifying information. The requirements
referred to in this section are the same requirements set forth
in section 302.
SUBTITLE B--SECURITY BREACH NOTIFICATION
Section 311. Notice to individuals
Section 311 requires that a business entity or Federal
agency give notice to an individual whose sensitive personally
identifiable information has been, or is reasonably believed to
have been, compromised, following the discovery of a data
security breach. The notice required under section 311 must be
made without unreasonable delay. Section 311(b) requires that a
business entity or Federal agency that does not own or license
the information compromised as a result of a data security
breach notify the owner or licensee of the data. The owner or
licensee of the data would then provide the notice to
individuals as required under this section. However, agreements
between owners, licensees and third parties regarding the
obligation to provide notice under section 311 are preserved.
Section 312. Exemptions
Section 312 allows a business entity or Federal agency to
delay notification by providing a written certification to the
U.S. Secret Service that providing such notice would impede a
criminal investigation, or damage national security. This
provision further requires that the Secret Service must review
all certifications from business entities (and may review
certifications from agencies) seeking an exemption from the
notice requirements based upon national security or law
enforcement, to determine if the exemption sought has merit.
The Secret Service has 10 business days to conduct this review,
which can be extended by the Secret Service if additional
information is needed. Upon completion of the review, the
Secret Service must provide written notice of its determination
to the agency or business entity that provided the
certification. If the Secret Service determines that the
exemption is without merit, the exemption will not apply.
Section 312 also prohibits Federal agencies from providing a
written certification to delay notice, to conceal violations of
law, prevent embarrassment or restrain competition.
Section 312(b) exempts a business entity or agency that
conducts a risk assessment after a data breach occurs, and
finds no significant risk of harm to the individuals whose
sensitive personally identifiable information has been
compromised, from the notice requirements of section 311,
provided that: (1) the business entity or Federal agency
notifies the Secret Service of the results of the risk
assessment within 45 days of the security breach; and (2) the
Secret Service does not determine within 10 business days of
receipt the notification that a significant risk of harm does
in fact exist and that notice of the breach should be given.
Under section 312(b) a rebuttable presumption exists that the
use of encryption technology, or other technologies that render
the sensitive personally identifiable information
indecipherable, and thus, that there is no significant risk of
harm.
Section 312(c) also provides a financial fraud prevention
exemption from the notice requirement, if a business entity has
a program to block the fraudulent use of information--such as
credit card numbers--to avoid fraudulent transactions. Debit
cards and other financial instruments are not covered by this
exemption.
Section 313. Methods of notice
Section 313 provides that notice to individuals may be
given in writing to the individuals last known address, by
telephone or via email notice, if the individual has consented
to email notice. Media notice is also required if the number of
residents in a particular State whose information was, or is
reasonably believed to have been, compromised exceeds 5,000
individuals.
Section 314. Content of notification
Section 314 requires that the notice detail the nature of
the personally identifiable information that has been
compromised by the data security beach, a toll free number to
contact the business entity or Federal agency that suffered the
breach, and the toll free numbers and addresses of major credit
reporting agencies. Section 314 also preserves the right of
States to require that additional information about victim
protection assistance be included in the notice.
Section 315. Coordination of notification with credit reporting
agencies
Section 315 requires that, for situations where notice of a
data security breach is required for 5,000 or more individuals,
a business entity or Federal agency must also provide advance
notice of the breach to consumer reporting agencies.
Section 316. Notice to law enforcement
Section 316 requires that business entities and Federal
agencies notify the Secret Service of the fact that a security
breach occurred within 14 days of the breach, if the data
security breach involves: (1) more than 10,000 individuals; (2)
a database that contains information about more than one
million individuals; (3) a Federal Government database; or (4)
individuals known to be Government employees or contractors
involved in national security or law enforcement. The Secret
Service is responsible for notifying other Federal law
enforcement agencies, including the FBI, and the relevant State
Attorneys General within 14 days of receiving notice of a data
security breach.
Section 317. Enforcement
Section 317 allows the Attorney General to bring a civil
action to recover penalties for violations of the notification
requirements in subtitle B. Violators are subject to a civil
penalty of up to $1,000 per day, per individual and a maximum
penalty of $1 million per violation, unless the violation is
willful or intentional.
Section 318. Enforcement by State Attorneys General
Section 318 allows State Attorneys General to bring a civil
action in U.S. district court to enforce subtitle B. The
Attorney General may stay, or intervene in, any State action
brought under this subtitle.
Section 319. Effect on Federal and State law
Section 319 preempts State laws on breach notification,
with the exception of State laws regarding providing consumers
with information about victim protection assistance that is
available to consumers in a particular State. Because the
breach notification requirements in the bill do not apply to
State and local Government entities, this provision does not
preempt State or local laws regarding the obligations of State
and local government entities to provide notice of a data
security breach.
Section 320. Authorization of appropriations
Section 320 authorizes funds for the Secret Service as may
be necessary to carry out investigations and risk assessments
of security breaches under the requirements of subtitle B.
Section 321. Reporting on risk assessment exemptions
Section 321 requires that the Secret Service report to
Congress on the number and nature of data security breach
notices invoking the risk assessment exemption and the number
and nature of data security breaches subject to the national
security and law enforcement exemptions.
Section 322. Effective date
Subtitle B takes effect 90 days after the date of enactment
of the Personal Data Privacy and Security Act.
TITLE IV--GOVERNMENT ACCESS TO AND USE OF COMMERCIAL DATA
Section 401. General Services Administration review of government
contracts
Section 401 requires the General Services Administration
(GSA), when issuing contracts for more than $500,000, to review
and consider Government contractors' programs for securing the
privacy and security of personally identifiable information,
contractors' compliance with such programs, and any data
security breaches of contractors' systems and the responses to
those breaches.
In addition, GSA is required to include penalties in
contracts involving personally identifiable information for (1)
failure to comply with subtitle A (Data Privacy and Security
Programs) and subtitle B (Security Breach Notification) of
title III of this Act; and (2) knowingly providing inaccurate
information. Section 401 also requires that GSA include a
contract requirement that Government contractors exercise due
diligence in selecting service providers that handle personally
identifiable information and that Government contractors take
reasonable steps to select service providers that maintain
appropriate data privacy and security safeguards.
Section 402. Requirement to audit information security practices of
contractors and third party business entities
Section 402 amends 44 Sec. U.S.C. 3544 to require that
Federal agencies audit and evaluate the information security
practices of Government contractors and third parties that
support the information technology systems of Government
agencies.
Section 403. Privacy impact assessment of Government use of commercial
information services containing personally identifiable
information
Section 403(a) updates the E-Government Act of 2002 to
require Federal departments and agencies that purchase or
subscribe to personally identifiable information from a
commercial entity, to conduct privacy impact assessments on the
use of those services. In addition, section 403(b) requires
Federal departments and agencies that use such services to
publish a description of the database, the name of the provider
and the contract amount.
Section 403 also requires that Federal departments and
agencies adopt regulations that specify the personnel allowed
to access Government databases containing personally
identifiable information and the standards for ensuring, among
other things, the legitimate Government use of such
information, the retention and disclosure of such information,
and the accuracy, relevance, completeness and timeliness of
such information. Section 403 further provides that Federal
departments and agencies must include in contracts for more
than $500,000 and agreements with commercial data services,
penalty provisions for circumstances where a data broker
delivers personally identifiable information that it knows to
be inaccurate, or has been informed is inaccurate and is in
fact inaccurate. Section 403(c) also requires that data brokers
that engage service providers, who are not subject to the data
security program requirements of the bill, exercise due
diligence in retaining these service providers to ensure that
adequate safeguards for personally identifiable information are
in place.
Section 403(d) directs the Government Accountability Office
to conduct a follow-up study and report to Congress on Federal
agency use of commercial databases, including the impact of
such use on privacy and security, sufficiency of privacy and
security protections, and the extent to which commercial data
providers are penalized for privacy and security failures.
Section 404. Implementation of Chief Privacy Officer requirements
Section 522 of the Transportation, Treasury, Independent
Agencies, and General Government Appropriations Act, 2005
requires each agency to create a Chief Privacy Officer. Section
404 facilitates the efficient and effective implementation of
this requirement by directing the Department of Justice to
implement this provision by designating a Department-wide Chief
Privacy Officer, whose primary role is to fulfill the duties
and responsibilities of Chief Privacy Officer. In addition, the
DOJ Chief Privacy Officer will report directly to the Deputy
Attorney General.
Section 404 also stipulates responsibilities for the DOJ
Chief Privacy Officer that are tailored to the mission of the
Department and the requirements of this Act. Specifically, this
section directs the Chief Privacy Officer to: (1) oversee DOJ's
implementation of the privacy impact assessment requirement
under section 402; (2) promote the use of law enforcement
technologies that sustain, rather than erode, privacy
protections and ensure that technologies relating to the use,
collection and disclosure of personally identifiable
information preserve privacy and security; and (3) coordinate
implementation with the Privacy and Civil Liberties Oversight
Board, established in the Intelligence Reform and Terrorism
Prevention Act of 2004.
IV. Congressional Budget Office Cost Estimate
The Committee sets forth, with respect to the bill, S.
1490, the following estimate and comparison prepared by the
Director of the Congressional Budget Office under section 402
of the Congressional Budget Act of 1974:
December 2, 2009.
Hon. Patrick J. Leahy,
Chairman, Committee on the Judiciary,
U.S. Senate, Washington, DC.
Dear Mr. Chairman: The Congressional Budget Office has
prepared the enclosed cost estimate for S. 1490, the Personal
Data Privacy and Security Act of 2009.
If you wish further details on this estimate, we will be
pleased to provide them. The CBO staff contact is Matthew
Pickford.
Sincerely,
Douglas W. Elmendorf.
Enclosure.
S. 1490--Personal Data Privacy and Security Act of 2009
Summary: S. 1490 would establish new federal crimes
relating to the unauthorized access of sensitive personal
information. The bill also would require most government
agencies or businesses that collect, transmit, store, or use
personal information to notify any individuals whose
information has been unlawfully accessed. In addition, S. 1490
would require data brokers to allow individuals access to their
electronic records and to publish procedures for individuals to
respond to inaccuracies.
Assuming appropriation of the necessary amounts, CBO
estimates that implementing S. 1490 would cost $25 million over
the 2010-2014 period. Enacting S. 1490 could increase civil and
criminal penalties and thus could affect federal revenues and
direct spending, but CBO estimates that such effects would not
be significant in any year. Further, enacting S. 1490 could
affect direct spending by agencies not funded through annual
appropriations. CBO estimates, however, that any changes in net
spending by those agencies would be negligible.
S. 1490 contains intergovernmental mandates as defined in
the Unfunded Mandates Reform Act (UMRA), but CBO estimates that
the cost of complying with the requirements would be small and
would not exceed the threshold established in UMRA ($69 million
in 2009, adjusted annually for inflation).
The new standards and requirements for data security in S.
1490 would constitute private-sector mandates as defined in
UMRA. While much of the industry already complies in large part
with the many of those requirements, a large number of entities
in the private sector would face new security standards. CBO
estimates that the aggregate direct cost of complying with
those new standards would probably exceed the annual threshold
established in UMRA for private-sector mandates ($139 million
in 2009, adjusted annually for inflation) in at least one of
the first five years the mandates are in effect.
Estimated cost to the Federal Government: The estimated
budgetary impact of S. 1490 is shown in the following table.
The costs of this legislation fall within budget functions 750
(administration of justice), 800 (general government), and any
other budget functions that contain salaries and expenses.
----------------------------------------------------------------------------------------------------------------
By fiscal year, in millions of dollars--
------------------------------------------------------------
2010 2011 2012 2013 2014 2010-2014
----------------------------------------------------------------------------------------------------------------
CHANGES IN SPENDING SUBJECT TO APPROPRIATION
Estimated Authorization Level...................... 3 5 7 7 7 29
Estimated Outlays.................................. 1 3 7 7 7 25
----------------------------------------------------------------------------------------------------------------
Basis of estimate: For this estimate, CBO assumes that the
bill will be enacted early in calendar year 2010, that the
necessary amounts will be provided each year, and that spending
will follow historical patterns for similar programs.
Most of the provisions of the bill would codify the current
practices of the federal government regarding data security and
procedures for notification of security breaches. While
existing laws generally do not require agencies to notify
affected individuals of data breaches, agencies that have
experienced security breaches have generally provided such
notification. Therefore, CBO expects that codifying this
practice would probably not lead to a significant increase in
spending. Nonetheless, the federal government is one of the
largest providers, collectors, consumers, and disseminators of
personnel information in the United States. Although CBO cannot
anticipate the number or extent of security breaches, a
significant breach of security involving a major collector of
personnel information, such as the Internal Revenue Service or
the Social Security Administration, could involve millions of
individuals and result in significant costs to notify
individuals of such a breach.
S. 1490 also would require federal agencies to provide
several reports to the Congress concerning data security
issues. The legislation would require agencies to conduct
additional privacy impact assessments on commercially purchased
data that contains personally identifiable information, and the
Government Accountability Office would be required to report to
the Congress on federal agencies' use of commercial
information. In addition, the General Services Administration
(GSA) would provide additional security assessments for certain
government contracts involving personally identifiable
information. Those assessments would include payroll
processing, emergency response and recall, and medical data.
Based on information from the Office of Management and Budget
and GSA, CBO estimates that the additional staff needed to
carry out those tasks and reporting requirements would cost $7
million annually when fully implemented. We expect that it
would take about three years to fully implement the
requirements.
The legislation also would require a business entity or
agency--under certain circumstances--to notify the Secret
Service that a security breach has occurred but would permit
entities or agencies to apply to the Secret Service for
exemption from notice requirements if the personal data was
encrypted or similarly protected or if notification would
threaten national security. Based on information from the
Secret Service, CBO estimates that any additional investigative
or administrative costs to that agency would likely be less
than $500,000 annually, subject to the availability of
appropriated funds.
Other provisions of the bill would require the Federal
Trade Commission (FTC) to develop and enforce regulations that
would require data brokers to allow individuals to access their
personal information and to require companies to assess the
vulnerability of their data systems. The FTC would be
authorized to collect civil penalties for violations of those
new regulations. CBO estimates that those provisions would have
no significant effect on spending.
Direct spending and revenues
S. 1490 would establish new federal crimes relating to the
unauthorized access of sensitive personal information. Enacting
the bill could increase collections of civil and criminal fines
for violations of the bill's provisions. CBO estimates that any
additional collections would not be significant because of the
relatively small number of additional cases likely to result.
Civil fines are recorded as revenues. Criminal fines are
recorded as revenues, deposited in the Crime Victims Fund, and
subsequently spent without further appropriation.
Estimated impact on state, local, and tribal governments:
S. 1490 contains intergovernmental mandates as defined in UMRA.
The bill would preempt laws in 45 states regarding the
treatment of personal information. It also would place
procedural requirements and limitations on state attorneys
general and state insurance authorities. The preemptions would
impose no costs on states. CBO estimates that the costs to
attorneys general and insurance authorities of complying with
the procedural requirements would be small and would not exceed
the threshold established in UMRA ($69 million in 2009,
adjusted annually for inflation).
Estimated impact on the private sector: S. 1490 would
impose several private-sector mandates as defined in UMRA,
including requirements that:
Certain business entities that handle
personally identifiable information for 10,000 or more
individuals establish and maintain a data privacy and
security program;
Any business entity engaged in interstate
commerce notify individuals if a security breach occurs
in which such individuals' sensitive personally
identifiable information is compromised;
Data brokers provide individuals with their
personally identifiable information and to change the
information if it is incorrect; and
Any entity taking an adverse action against
an individual based on information obtained from a
database maintained by a data broker notify the
individual of that action.
The majority of businesses already comply with procedures
for data security and breach notification that are similar to
many of the bill's requirements. However, some of the
requirements in the bill would impose new standards for data
maintenance and security on a large number of entities in the
private sector. CBO estimates that the aggregate direct cost of
all the mandates in the bill would probably exceed the annual
threshold established in UMRA for private-sector mandates ($139
million in 2009, adjusted annually for inflation) in at least
one of the first five years the mandates are in effect.
Data privacy and security requirements
Subtitle A of title III would require businesses engaging
in interstate commerce that involves collecting, accessing,
transmitting, using, storing, or disposing of sensitive,
personally identifiable information in electronic or digital
form on 10,000 or more individuals to establish and maintain a
program for data privacy and security. The program would be
designed to protect against both unauthorized access and any
anticipated vulnerabilities. Business entities would be
required to conduct periodic risk assessments to identify such
vulnerabilities and to assess possible security risks in
establishing the program. Additionally, entities would have to
train their employees in implementing the data security
program.
The bill would direct the FTC to develop rules that
identify privacy and security requirements for the business
entities covered under subtitle A. Some entities would be
exempt from the requirements of subtitle A. Those include
certain financial institutions that are subject to the data
security requirements under Gramm-Leach-Bliley Act and entities
that are subject to the data security requirements of the
Health Insurance Portability and Accountability Act.
The cost per entity of the data privacy and security
requirements would depend in part on the rules to be
established by the FTC, the size of the entity, its current
ability to secure, record, and monitor access to data, as well
as the amount of sensitive, personally identifiable information
maintained by the entity. The majority of states already have
laws requiring businesses to utilize data security programs,
and it is the current practice of many businesses to use
security measures to protect sensitive data. However, some of
the new standards for data security in the bill could impose
additional costs on a large number of private-sector entities.
For example, under the bill, business entities covered
under subtitle A would be required to enhance their security
standards to include the ability to trace access and
transmission of all records containing personally identifiable
information (PII). The current industry standard on data
security has not reached that level. According to industry
experts, information on a particular individual can be
collected from several places and, for large companies, can be
accessed by thousands of people from several different
locations. The ability to trace each transaction of data
containing PII would be a significant enhancement of data
management hardware and software for the majority of business
entities. The aggregate cost of implementing such changes could
be substantial.
Security breach notification
Subtitle B of title III would require businesses engaged in
interstate commerce that use, access, transmit, store, dispose
of, or collect sensitive personally identifiable information to
notify individuals in the event of a security breach if the
individuals' information is compromised. Entities would be able
to notify individuals using written letters, the telephone, or
email under certain circumstances. The bill also would require
those entities to notify the owner or licensee of any such
information that the entity does not own or license. A notice
in major media outlets serving a state or jurisdiction also
would have to be provided for any breach of more than 5,000
residents' records within a particular state. In addition,
business entities would be required to notify other entities
and agencies in the event of a large security breach. Entities
that experience the breach of such data would have to notify
the affected victims and consumer reporting agencies if the
breach involves more than 5,000 individuals. They would have to
notify the U.S. Secret Service if the breach involves more than
10,000 individuals. The bill, however, would exempt business
entities from the notification requirements under certain
circumstances.
According to industry sources, millions of individuals'
sensitive personally identifiable information is illegally
accessed or otherwise breached every year. However, according
to those sources, 45 states already have laws requiring
notification in the event of a security breach. In addition, it
is the standard practice of most business entities to notify
individuals if a security breach occurs. Therefore, CBO
estimates the notification requirements would not impose
significant additional costs on businesses.
Requirements for data brokers
The bill would impose new disclosure and data collection
requirements on data brokers. The bill defines a data broker as
a business entity which for monetary fees or dues regularly
collects for the practice of collecting, transmitting, or
providing access to sensitive, personally identifiable
information on more than 5,000 individuals who are not the
customers or employees of that business entity or affiliate
primarily for the purposes of providing such information to
nonaffiliated third parties on an interstate basis.
Section 201 would require certain data brokers to disclose
to individuals, upon their request, all personal electronic
records relating to an individual that are kept primarily for
third parties. Additionally, if an individual disputes the
accuracy of the information that is contained in the data
brokers' records, the data brokers would be required to change
the information or provide the individual with contact
information for the source from which they obtained the
information. Upon investigation, data brokers could determine
that some requests to change an individual's information are
frivolous. However, the data broker would be required to notify
any individual requesting a change of information if such an
action is taken.
The cost of providing records upon request depends on the
costs of gathering and distributing the information to
individuals and the number of individuals requesting their
information. Under the bill, data brokers would be allowed to
charge a reasonable fee for this service. Data brokers would
likely be able to cover their costs of providing individuals
with their personal information with the fee they could charge.
However, the cost to data brokers of having to change
individuals' information and notifying the individuals could be
large. According to information from industry sources, however,
some data brokers already correct information based on requests
from individuals.
The average cost to large data brokers that currently
provide this service is about $8.50 each time a record is
disclosed and information is disputed by an individual,
according to some industry experts. However, the cost per
record may be higher for data brokers who do not currently have
systems in place to handle such disputes. Some evidence exists
that many individuals' personally identifiable information
housed at data brokerage firms is in part incorrect. If a large
number of individuals request data changes, CBO estimates that
the time and notification costs to data brokers could be high.
Because of uncertainty about the number of individuals who
would request information under the bill and as a result of
those requests, the amount of information that would need to be
changed, CBO cannot estimate the cost of this mandate.
Adverse actions using information from data brokers
Section 201 also would require any entity taking an adverse
action with respect to an individual based on information
contained in a personal electronic record maintained, updated,
owned, or possessed by a data broker to notify the individual
of the adverse action. The notification can be written or
electronic and must include certain information about the data
broker. While the per-individual cost of notification would be
small, the cost of complying with the mandate would depend on
the number of adverse actions that would be taken against
individuals by entities. Because data about the incidence of
such actions are unavailable, CBO has no basis to determine the
direct cost of complying with this mandate.
Estimate prepared by: Federal costs: Federal Agencies--
Matthew Pickford; U.S. Secret Service--Mark Grabowicz; Impact
on state, local, and tribal governments: Elizabeth Cove
Delisle; Impact on the private sector: Marin Randall.
Estimate approved by: Theresa Gullo, Deputy Assistant
Director for Budget Analysis.
V. Regulatory Impact Evaluation
In compliance with Rule XXVI of the Standing Rules of the
Senate, the Committee finds that no significant regulatory
impact will result from the enactment of S. 1490.
VI. Conclusion
The Personal Data Privacy and Security Act of 2009, S.
1490, provides greatly needed privacy protections to American
consumers and businesses, to ensure that all Americans have the
tools necessary to protect themselves from identity theft and
other data security risks. This legislation will also ensure
that the most effective mechanisms and technologies for dealing
with the underlying problem of lax data security are
implemented by the Nation's businesses to help prevent data
breaches from occurring in the first place. The passage and
enactment of this important privacy legislation is long
overdue.
VII. MINORITY VIEWS FROM SENATORS SESSIONS AND KYL
This legislation deals with two issues about which there is
bipartisan agreement on the need for congressional action: data
security and identity theft. We fully support the goals behind
the provisions on this legislation dealing with notice to law
enforcement and to consumers in the event of a data breach.
Such notice provides law enforcement with valuable information
on how to fight data and identity theft crimes which have
exploded in recent years, and which are now increasingly
committed by sophisticated criminal enterprises with global
reach. Timely notice of genuine threats to individuals'
identity information also gives consumers the ability to
protect themselves. We believe, however, that notice to
consumers must occur after an intelligent assessment of the
risk a breach poses to consumers. Requiring notice for trivial
security breaches will cause consumers to be inundated by
inconsequential warnings, and if consumers find themselves
overwhelmed by trivial notices, they will be more likely to
ignore warnings that matter--when their identity information is
genuinely at risk. Such a notice regime would not help
consumers, but will affirmatively harm them.
While we commend the Chairman's efforts in this area, we
unfortunately cannot support S. 1490 because we believe that it
will be counterproductive to our shared goal of consumer
protection, and because we fear that it strays far afield from
the core objective of protecting consumers whose information
has been compromised. S. 1490 seeks to impose new regulations
not only on ``Data Brokers''--a class of businesses defined so
broadly as to ensnare companies not engaged in the data broker
business--but also on any entity or person that merely uses
information obtained from commercial data sources. The
regulations proposed in this bill will confuse consumers and
businesses alike, and eventually harm the economy at large.
BACKGROUND
Identity theft is a major concern for consumers and for
businesses, and the threat from increasingly sophisticated
criminal enterprises is both serious and growing. Both business
and government have spent a great deal of time and effort to
understand and combat this crime. Law enforcement at the
federal, state and local levels have increased their
cooperation, and businesses have adopted more rigorous internal
controls to protect their customers' information. During the
last Administration, the President's Identity Theft Task Force
issued a report in April 2007 after 10 months of study, showing
that the business community had spent billions of dollars
enhancing data security, building better ways to detect and
stop fraud and identity theft before it occurs, and working
with victims.
State governments have also become very active in this
area. Already 45 states and the District of Columbia have
enacted laws to combat identity theft and to require businesses
who are victimized by a data breach to contact consumers and
inform them of the risk to their sensitive personal identity
information. There are significant differences across the
various state laws, however, and so a Federal response--to
provide consistency and predictability which will promote
interstate commerce--is clearly necessary.
Our first priority must be to ensure that consumers have
the tools to protect themselves in the event of a data breach.
Americans need to be notified when information pertaining to
them is compromised in a way that may jeopardize their
identities. For such notices to be effective, however, they
must be issued only when there are reasonable grounds to do so.
We know from the experience of the Gramm-Leach-Bliley Act
(GLBA) that over-notification leads to consumer apathy, with
the result that consumers are exposed to greater risks.
SPECIFIC CONCERNS WITH S. 1490, THE PERSONAL DATA PRIVACY AND SECURITY
ACT
Though we support many of the stated goals of this
legislation, we have several specific concerns with S. 1490 as
reported by the Committee.
1. The Notice provisions will likely result in over-notification to
consumers of data breaches
The bill sets a default rule that consumers must be
notified of any breach ``following the discovery'' of a breach.
It then provides a ``safe harbor'' that excuses companies from
that obligation if the company conducts a risk assessment and
concludes that the breach does not bear a reasonable risk of
``harm'' to the consumer. The term ``harm'' is potentially very
broad, and the bill does not define it. Although supporters of
the bill have been repeatedly asked what ``harm'' would cover,
they have never provided a clear answer. In the face of such
ambiguity, and in the face of the severe consequences for
failure to issue notices when required, businesses are likely
to minimize their legal risk by simply notifying consumers even
of minor non-threatening breaches. Such defensive behavior,
however rational from the perspective of the business
victimized by a data breach, will almost certainly dull
consumers' sensitivity to breach notices and leave them at
greater risk than they face in the absence of federal
legislation.
2. The scope of protected information is over-broad, and will
contribute to over-notification
The bill also defines the protected class of information--
``sensitive personally identifiable information''--to include
widely available information that is not sufficient to pose a
risk of identity theft. But the bill's notice and ``safe
harbor'' provisions would be triggered even where the data
breach only revealed such relatively innocuous information.
3. The definition of Security Breach is over-broad
The bill defines a breach as including unauthorized
``access'' or ``acquisition'' of sensitive personally
identifiable information. While ``access'' to such information
is a common term used in the criminal code, its use alongside
``acquisition'' implies that ``access'' refers only to
instances where the personal data is not ``acquired''--i.e.
where the data is not in some way recorded, collected, or taken
for future, potentially harmful, use. Thus, the current
definition of a ``breach'' would appear to cover instances
where information is viewed in passing, or possibly where a
person obtains unauthorized access to a computer system that
contains personal information, even if the invader never views
or downloads the information. Such activity, however, does not
threaten individuals whose data was ``accessed'' with any harm.
The problems posed by this definition may be reduced in
part by the new proviso added to the definition of a ``security
breach'' in committee, which limits the definition of a breach
to incidents ``which present a significant risk of harm or
fraud to any individual.'' That language, however, leads to
different problems.
One of the most valuable aspects of S. 1490 is the
requirement for companies who suffer data breaches to report
those incidents to law enforcement. That reporting requirement
will assist our law enforcement agencies to better analyze and
defend against the methods of increasingly sophisticated and
global criminal enterprises that commonly engage in data theft.
In order to avoid desensitizing the public through over-
notification of such breaches, however, any legislation in this
area should include a clear risk-based standard for requiring
companies to take the additional step of notifying individual
consumers who might have been affected by the breach.
Inserting the ``significant risk of harm or fraud'' test in
the definition of a ``security breach,'' however, places the
threshold too early in the process. This language also places
the determination of whether there is a ``substantial risk,''
and thus, the applicability of the entire breach notice regime,
largely within the discretion of the business that experienced
the data breach. While S. 1490 imposes severe penalties on
companies who refuse to provide appropriate notice to
consumers, the inclusion of a ``significant risk'' test in the
definition of a ``breach'' dramatically increases the risk that
a company might incorrectly conclude that the attack it
suffered did not meet the statutory definition of a ``security
breach'' and thus fail to notify or seek the views of law
enforcement.
4. The legislation should specifically and completely exempt entities
regulated by other federal laws from the provisions of this Act
Consumer reporting agencies (CRAs) are already fully
regulated under requirements under the Fair Credit Reporting
Act (FCRA), and financial institutions are regulated under the
Gramm-Leach-Bliley Act. Companies that are already regulated
under the FCRA and Gramm-Leach-Bliley (GLB) should be
specifically exempt from this Act, and from the definition of
``data broker'' because they are already subject to rigorous
data safeguard requirements under these statutes.
The Fair Credit Reporting Act (15 U.S.C. Sec. 1681 et seq.)
is a time-tested statute that has received frequent and
thoughtful review by Congress, and was most recently updated in
2003, with extensive changes implemented by the FACT Act (Pub.
L. 108-159).\1\
---------------------------------------------------------------------------
\1\That Act contained a number of significant provisions designed
to protect consumers and combat identity theft, and I again complement
Senator Shelby for his work on that legislation as the then--Chairman
of the Senate Banking Committee.
---------------------------------------------------------------------------
The requirements laid out in this legislation would create
a host of conflicting, inconsistent, unworkable and potentially
negative impacts on FCRA-regulated entities, and could have
significant negative effects on consumers.
Further, assuming that it was the Committee's intent to
exempt FCRA and GLB covered entities from the scope of some
provisions of this Act, the exemption crafted by the Committee
is incomplete, and would in many cases subject FCRA regulated
entities to duplicative and conflicting standards. Rather than
having the Judiciary Committee attempt to craft those
exemptions, we should defer to the Banking Committee, which has
the expertise to determine that the exemptions are as complete
as intended.
5. Other issues
In addition to these flaws, S. 1490 also contains
unnecessary provisions that might be politically attractive to
their advocates but which do not ultimately serve the interests
of the consumers we are pledged to protect.
The data broker regulations in Title II of S. 1490 are the
best example of the ``bloat'' that afflicts this bill.
Notwithstanding the exemptions incorporated into this title,
the bill's definition of ``data broker'' is far too broad and
runs the risk of covering a range of entities--including on-
line payment or banking service providers--that are not engaged
in a business that fits the common understanding of what
constitutes a ``data broker.''
Title II also attempts to treat data broker services as
analogous to credit reporting services, while overlooking the
fact that the uses of these databases--e.g., for authenticating
identity and fraud prevention, as well as for things such as
locating deadbeat parents--is very different from the
predominant use of credit report data as a financial
transactions tool. For example, Title II contains a vague and
potentially wide-ranging notice obligation by any person or
entity who takes ``adverse action'' against an individual based
in whole or in part on information obtained from a data broker.
Yet ``adverse action'' is never defined, and the potential
reach of this obligation is enormous. In addition, Title II
creates a reach-through right for any consumer to contest
information held by a data broker by being referred to the
source of the information, including any commercial business
with which the individual has a transaction history. Such a
requirement would impose enormous costs on the U.S. economy, in
exchange for little protection gained for the individual
consumer.
Title IV of S. 1490 is also problematic, since it would
require federal agencies that use data broker services to
publish privacy impact notices in the Federal Register. Not
only does this take an obligation that attaches to records in
government's own control and attach it to privately held data
which the government reviews under contract, but the privacy
impact analysis language in the bill contains no exception for
law enforcement or counterterrorism uses of the data broker's
services. According to a 2005 GAO audit, 91% of government use
of data broker services was for these two types of activities,
and publication of details about the government's data use
(e.g. for security investigations or other sensitive
activities) could hamper these critical functions.
CONCLUSION
For these reasons, we dissent from the views and policy
represented by S.1490, and we would urge our colleagues to
revisit many of the policy and drafting problems created by
this bill.
Jeff Sessions.
Jon Kyl.
VIII. Changes to Existing Law Made by the Bill, as Reported
In compliance with paragraph 12 of Rule XXVI of the
Standing Rules of the Senate, the Committee finds that it is
necessary to dispense with the requirement of paragraph 12 to
expedite the business of the Senate.
�