Companies would be required to disclose cyber attacks that jeopardize consumers’ personal information and concealing a data breach would be made a crime under Senate legislation aimed at enhancing privacy protections.
The bill unveiled today by Senator Patrick Leahy, a Vermont Democrat, would set a national standard for notifying consumers that replaces data-breach reporting requirements in 47 states. Leahy, who chairs the Senate Judiciary Committee, cited recent cyber attacks at companies including Sony Corp. and Lockheed Martin Corp. as he introduced the measure.
“The many recent and troubling data breaches in the private sector and in our government are clear evidence that developing a comprehensive national strategy to protect data privacy and security is one of the most challenging and important issues facing our country,” Leahy said in a statement.
Under the measure, anyone who “intentionally or willfully” conceals a data breach would be subject to criminal penalties including a fine or up to five years in prison, according to a fact sheet released with the bill.
The bill, known as the Personal Data Privacy and Security Act of 2011, is co-sponsored by three other Democratic senators: Charles Schumer of New York, Ben Cardin of Maryland, and Al Franken of Minnesota. Leahy introduced similar cybersecurity measures in 2005, 2007 and 2009 that failed to advance in the Senate.
The measure parallels the cybersecurity proposal issued by the Obama administration on May 12. Like the administration’s plan, the Senate bill introduced today calls for creating a uniform federal law for informing consumers about data breaches, a provision welcomed by the technology industry.
The proliferation of state laws has caused “confusion for consumers and unnecessary compliance burdens for companies,” Robert Holleyman, president of the Business Software Alliance, said a statement. The group represents software makers including Apple Inc. and Microsoft Corp. Holleyman urged Congress to pass “a single, national standard to replace the unwieldy state patchwork we have today.”
The security breaches at Sony and Lockheed Martin have sharpened U.S. government scrutiny of how businesses safeguard consumer data and notify the public about cyber attacks. Sony has been criticized by U.S. lawmakers for taking six days to warn customers about the breach.
The Leahy measure does not give a specific timeframe for making such reports and says that companies should disclose data breaches “without unreasonable delay.” Businesses would be exempt from public disclosure if they determine that no consumer data were compromised and share that information with the U.S. Secret Service.
The legislation also requires businesses to create a privacy and security program to protect “sensitive” data. Federal agencies would be required to evaluate the data security practices of government contractors and assess privacy provisions of third-party data services under the bill.
Lockheed Martin, the world’s largest defense contractor, was hit by a cyber attack on May 21 that the company later said resulted from a March data theft at RSA, a provider of security tokens. RSA’s parent company, EMC Corp., offered today to swap the SecurID tokens that RSA provides to defense contractors and government agencies.
The Leahy bill addresses “the growing need to establish privacy protections when government agencies transfer personal data to private contractors,” Marc Rotenberg, executive director of the Electronic Privacy Information Center, said in an e-mailed statement.
The bill would allow consumers to obtain reports from data brokers such as Acxiom Corp. and Reed Elsevier Plc’s Lexis Nexis unit about the personal information that has been collected on them. Consumers would be allowed to dispute and correct any inaccuracies in the digital records. Data brokers that fail to follow the rules would be subject to fines of up to $250,000 per violation.
House lawmakers including Representative Mary Bono Mack, a California Republican who chairs a subcommittee on commerce, manufacturing and trade, also are working on legislation aimed at protecting consumer data. Bono Mack also has called for a nationwide data-breach reporting standard.
“Consumers have a right to know when their personal information has been compromised, and companies have an overriding responsibility to promptly alert them,” Bono Mack said at a June 2 hearing on data security.