Senator Leahy Reintroduces “Personal Data Privacy and Security Act”: Federal Data Breach Notification Law Includes Criminal Penalties for Failure to Notify

Written by

On January 8, 2014, Senator Leahy (D-VT) reintroduced the “Personal Data Privacy and Security Act” (S. 1897) in an effort to both enhance criminal penalties for computer hacking, and create a tough Federal data breach notification statute. The bill was originally cosponsored (at the time of its introduction) by Senators Chuck Schumer (D-NY), Al Franken (D-MN) and Richard Blumenthal (D-CT), and has since been cosponsored by Senator Robert Menendez (D-NJ). The bill has been referred to the Senate Judiciary Committee for consideration, and the committee is expected to hold a hearing on data security breach issues within the coming weeks.

In a press release issued January 8, Senator Leahy described the Personal Data Privacy and Security Act of 2014 as “a comprehensive bill that not only addresses the need to provide Americans with notice when they have been victims of a data breach, but that also deals with the underlying problem of lax security and lack of accountability to help prevent data breaches from occurring in the first place.” The proposed law includes a proposed criminal statute that would make it a crime for anyone with “knowledge of a security breach and of the fact that notice of such security breach is required” under the Act to “intentionally and willfully” conceal the security breach. A violation of the statute would be punishable by a fine, up to five years imprisonment, or both. Senator Leahy first introduced a similar bill in 2005, and has reintroduced it in every two-year Congressional term since that time. While the past incarnations of Senator Leahy’s bill have been approved and reported by the Senate Judiciary Committee, of which he has been Chairman since 2007, none have been passed by the Senate.

The proposed Federal data breach notification law would require notification under more circumstances when compared to most current state laws. Under the proposed Act, notification would be required when an individual’s name, in addition to their address, telephone number, mother’s maiden name, or full date of birth is acquired. In addition, the acquisition of any of the following, by itself, could give rise to notification obligations: an individual’s government identification number (e.g., social security number, driver’s license number or passport number), biometric data (e.g., finger print), or unique financial account information. The proposed security breach notification law also includes a self-described “safe harbor” provision that allows companies to conduct a risk assessment to determine whether there is a “significant risk” that the breach will result in identity theft or economic or physical harm to an individual. If there is not a significant risk of such harm, entities can report that risk assessment, as well as information regarding the breach, to the Federal Trade Commission (“FTC”), which may provide a notification exemption.

To enhance penalties for identity theft and computer hacking, the bill would add amendments to the Computer Fraud and Abuse Act (“CFAA”), 18 U.S.C. § 1030, to make both attempt and conspiracy charges brought under the CFAA punishable to the same degree as substantive offenses. Under the proposed Act, the CFAA would also be added to the Racketeer Influenced and Corrupt Organizations (“RICO”) Act to give prosecutors additional enforcement tools against computer criminals. Finally, the proposed law would require business entities that collect, access, store or dispose of personal information on 10,000 or more individuals to enact a “comprehensive personal data privacy and security program” to safeguard that personal information. The full text of the proposed bill can be found here, and Senator Leahy’s section by section outline of the bill can be read here.

Written by Louis Dennig, Associate, Privacy & Data Security | Alston & Bird, LLP