Incited by the recent Target Corp data breach, Sen. Patrick Leahy (D-Vt.) reintroduced his data privacy protection bill to Congress on January 8. This marks the fifth time that Leahy has introduced The Personal Data Privacy and Security Act, which made its first appearance in Congress in 2005.
Leahy’s bill would establish one national standard for data breach notification and mandate that consumers be informed when their personal information has been compromised, among other things. The bill would also increase criminal penalties for intentionally or willfully concealing a data breach that causes economic damage to consumers. Also in the bill are provisions implementing the Obama administration’s proposal to update the 1986 Computer Fraud and Abuse Act by rendering the offenses of attempted computer hacking and conspiracy to commit computer hacking punishable by the same criminal penalties as their underlying crimes.
In his statement announcing the reintroduction of the bill, Leahy called the Target data breach “a reminder that developing a comprehensive national strategy to protect data privacy and cybersecurity remains one of the most challenging and important issues facing our Nation.” Leahy, who is Chairman of the Senate Judiciary Committee, also stated that the committee would hold a hearing focusing on data privacy and protection this year.
Similar developments are expected in the House, where Representative Tom Carper (D-Del.) intends to reintroduce his data protection bill as well. The 2007 Carper-Blunt bill—which was initially introduced following the TJMaxx credit card data breach and considered again in 2011—would impose national standards for reporting data breaches that cause consumer harm or bank fraud, among other provisions.
Carper and Leahy are not the only Congressional actors calling for data protection legislation in the wake of the Target breach. Also on January 8, Senator Deb Fischer (R-Neb.) took to the Senate floor, calling for action on data privacy and asking that the Senate Commerce Committee take up the issue. Fischer expressed concern that “[o]ur nation’s entire data security system is in desperate need of revamping” and her belief that data privacy protection “require[s] congressional action.”
Other Members of Congress expressed similar views. Senator Chuck Schumer (D-N.Y.)—who, incidentally, has called for a full investigation by the Consumer Financial Protection Bureau into Target’s data breach—joined fellow Banking Committee Democrat Senators Bob Menendez (D-N.J.) and Mark Warner (D-Va.) in asking Chairman Tim Johnson (D-S.D.) to hold a hearing on data privacy and protection issues. Similarly, Representative Maxine Waters (D-Ca.) intends to send a letter to House Financial Services Committee Chairman Jeb Hensarling requesting a hearing on data privacy and protection as well.
Finally, according to The Hill, Senator Richard Blumenthal (D-Conn.) would consider writing legislation granting the Federal Trade Commission data privacy and protection enforcement authority. It is unclear what level of enthusiasm FTC Commissioner Maureen Ohlhausen would exhibit toward such a plan; in the past, Ohlhausen has cautioned that government officials should approach new technologies with a dose of humility and consider whether existing laws are sufficient to address emerging technological issues before assuming that new rules are required.
The renewed data security activity may lead to debates regarding practical obstacles to federal legislation on security and data breaches, such as what will be done regarding existing provisions in the Health Insurance Portability and Accountability Act and the Gramm-Leach-Bliley Act covering similar issues, and the many state data protection laws currently in existence in almost every state.
Update — January 10, 2014: Senate Banking Committee Chairman Tim Johnson will hold a hearing regarding data security in the coming weeks.
Update — January 15, 2014: The Senate Judiciary Committee has scheduled its hearing on data breaches for February 4, 2014.