Data collection and security was a big topic on the Hill last week, where five congressional committees examined the issue over several days. On the topic of data breaches specifically, the Senate Judiciary Committee held a hearing on “Privacy in the Digital Age: Preventing Data Breaches and Combating Cybercrime” and the House Energy and Commerce Subcommittee on Commerce, Manufacturing, and Trade held a hearing entitled, “Protecting Consumer Information: Can Data Breaches Be Prevented?”
Appearing to be particularly influenced by the recent series of high profile data breaches involving Target and Neiman Marcus, several legislators have also reintroduced a number of data-security bills to the Senate. Last Tuesday, just ahead of the Senate Judiciary hearing, Senators Richard Blumenthal (D-CT) and Ed Markey (D-MA) reintroduced the Personal Data Protection and Breach Accountability Act (“PDPBA”).
For any business, including commercial and non-profit organizations, that accesses, transmits, or stores sensitive personally identifiable information, the Act would (1) require implementation of data privacy and security programs to safeguard sensitive consumer data; (2) establish data breach notification requirements; (3) provide stiff civil penalties; (4) criminalize the concealment of breaches involving personal information; (5) preempt state and existing federal breach-notification laws; and (5) gather information from federal agencies and law enforcement regarding breach occurrences and compliance with the Act. The PDPBA was previously introduced by Sen. Blumenthal in 2011. At that time, Sen. Blumenthal said that the goal of the proposed law was essentially “to prevent and deter data breaches.” On the reintroduction of the bill last week, Sen. Blumenthal was more severe, stating, “This bill will give consumers much stronger, industry-wide protections against massive thefts of private financial information by hackers and digital thieves. Stiffer enforcement with stringent penalties are vital to assure that retailers use state of the art safeguards.”
The Act appears to be substantially similar to the Data Security and Breach Notification Act (“DSBA”), introduced a week before, with the critical distinction being the DSBA’s provisions concerning the Federal Trade Commission, which would greatly increase the specificity of the agency’s enforcement authority. The PDPBA would give the Department of Justice the primary enforcement role, but would allow the FTC to create rules to identify data-security safeguards. The PDPBA also contains stiffer maximum penalties for violations of the Act and notably includes a private right of action, providing for additional hefty civil penalties. Lastly, to establish performance metrics, the PDPBA would require all enforcement bodies to submit to Congress on a yearly basis an agency-specific report, respectively including information on reported breaches from the previous year; all federal, state, and private enforcement actions undertaken pursuant to the Act; and an assessment of the effectiveness of post-breach notification practices.
These data-security bills are not the only two recently reintroduced to the Senate; on January 15, Senators Roy Blunt (R-MO) and Tom Carper (D-DE) reintroduced the Data Security Act, bipartisan legislation that would establish one national data-security regime and create breach requirements for businesses that collect financial information and for data brokers that compile private information, among other entities. On January 8, Sen. Patrick Leahy (D-VT) reintroduced his data privacy protection bill, which would also create a national standard for data-breach notification. Last year, Sen. Toomey (R-PA) reintroduced the Data Security and Breach Notification Act, which would preempt more restrictive state laws. Finally, following the lead of his colleagues, Sen. Robert Menendez (D-NJ) recently stated that he would soon introduce the Commercial Privacy Bill of Rights, which like the other bills, would provide protections for sensitive consumer data and establish “reasonable accountability measures” for businesses. At least nine data-security and breach-notification bills were introduced during the 112th Congress, and with the Senate’s latest flurry, Capitol Hill might expect to see even more activity from the 113th.