Senator Leahy Introduces the Personal Data Privacy and Security Act of 2011

According to Senator Leahy's website, the Personal Data Privacy and Security Act would:

•Increasing criminal penalties for identity theft involving electronic personal data and making it a crime to intentionally or willfully conceal a security breach involving personal data;

•Giving individuals access to, and the opportunity to correct, any personal information held by commercial data brokers;

•Requiring entities that maintain personal data to establish internal policies that protect the personal data of Americans;

•Requiring entities that maintain personal data to give notice to individuals and law enforcement when they experience a breach involving sensitive personal data; and

•Requiring the government to establish rules protecting privacy and security when it uses information from commercial data brokers, to conduct audits of government contracts with data brokers and impose penalties on government contractors that fail to meet data privacy and security requirements.

The Senator has introduced this act several times before. Interestingly, they didn’t bother to change the stats from 9,300,000 victims of computer fraud (from the original version in 2007). The actual number for 2010 would have been more like 16,167,542 as reported by the Identity Theft Resource Center.

The only major change to the act since 2007 is the inclusion of section 103 which, in summary, changes the federal laws for computer fraud to include conspiracy to commit computer fraud. The most interesting part of this bill is that it makes the concealment of a breach a felony punishable by up to 5 years in prison.

Also, just like in the Privacy Bill of Rights and the Do-Not-Track acts previously discussed, this act imposes limitations on Civil Actions by the Attorneys General for states. In this case, the states are limited to $5,000 per day up to $500,000. This act does not specify whether this is a per-state limitation or whether as a whole this is a limitation for all of the states collectively. If so this particular legislation is definitely a step backward from the other two proposals enacted earlier this year. I’m still not certain whether it would be better to consolidate the three bills, or whether portions of the three bills could stand on their own. Will this be the year some legislation is finally enacted? Certainly there has been a lot of hacking so far in 2011, but it remains to be seen how much legislation can be done in the remainder of this year.