[Senate Report 111-110] [From the U.S. Government Publishing Office] Calendar No. 208 111th Congress Report SENATE 1st Session 111-110 ====================================================================== PERSONAL DATA PRIVACY AND SECURITY ACT OF 2009 _______ December 17, 2009.--Ordered to be printed _______ Mr. Leahy, from the Committee on the Judiciary, submitted the following R E P O R T [To accompany S. 1490] [Including cost estimate of the Congressional Budget Office] The Committee on the Judiciary, to which was referred the bill (S. 1490), to prevent and mitigate identity theft, to ensure privacy, to provide security protections for personal data, to provide notice of security breaches, and to enhance criminal penalties, law enforcement assistance, and other protections against security breaches, fraudulent access, and misuse of personally identifiable information, having considered the same, reports favorably thereon, with an amendment, and recommends that the bill, as amended, do pass. CONTENTS Page I. Background and Purpose of the Personal Data Privacy and Security Act of 2009......................................................1 II. History of the Bill and Committee Consideration..................8 III. Section-by-Section Summary of the Bill..........................10 IV. Congressional Budget Office Cost Estimate.......................18 V. Regulatory Impact Evaluation....................................23 VI. Conclusion......................................................23 VII. Minority Views..................................................25 VIII.Changes to Existing Law Made by the Bill, as Reported...........30 I. Background and Purpose of the Personal Data Privacy and Security Act of 2009 A. SUMMARY Advanced technologies, combined with the realities of the post-9/11 digital era, have created strong incentives and opportunities for collecting and selling personal information about ordinary Americans. Today, private sector and governmental entities alike routinely traffic in billions of electronic personal records about Americans. Americans rely on this data to facilitate financial transactions, provide services, prevent fraud, screen employees, investigate crimes, and find loved ones. The Government also relies upon this information to enhance national security and to combat crime. The growing market for personal information has also become a treasure trove that is both valuable and vulnerable to identity thieves. As a result, the consequences of a data security breach can be quite serious. For Americans caught up in the endless cycle of watching their credit unravel, undoing the damage caused by security breaches and identity theft can become a time-consuming and lifelong endeavor. In addition, while identity theft is a major privacy concern for most Americans, the use and collection of personal data by Government agencies can have an even greater impact on Americans' privacy. The loss or theft of Government data can potentially expose ordinary citizens, Government employees, and members of the armed services alike to national security and personal security threats. Despite these well-known dangers, the Nation's privacy laws lag far behind the capabilities of technology and the cunning of identity thieves. The Personal Data Privacy and Security Act of 2009 is a comprehensive, bipartisan privacy bill that seeks to close this privacy gap, by establishing meaningful national standards for providing notice of data security breaches, and addressing the underlying problem of lax data security, to make it less likely for data security breaches to occur in the first place. B. THE GROWING PROBLEM OF DATA SECURITY BREACHES AND IDENTITY THEFT According to the Privacy Rights Clearinghouse, more than 340 million records containing sensitive personal information have been involved in data security breaches since 2005.\1\ Since the Personal Data Privacy and Security Act was first reported by the Judiciary Committee in November 2005, there have been at least 599 different data security breaches in the United States, affecting millions of American consumers.\2\ For example, in January 2009, Heartland Payment Systems, one of the Nation's leading processors of credit and debit card transactions, announced that its processing system records containing more than 130 million credit card accounts had been breached by hackers. In January 2007, mega-retailer TJX disclosed that it suffered a data breach affecting at least 45.7 million credit and debit cards.\3\ These data breaches follow many other commercial data breaches, collectively affecting millions of Americans, including data security breaches at ChoicePoint and LexisNexis. --------------------------------------------------------------------------- \1\See ``Privacy Rights Clearinghouse Chronology of Data Breaches,'' available at http://www.privacyrights.org/. \2\Id. \3\``Breach of data at TJX is called the biggest ever, Stolen numbers put at 45 .7 million,'' Boston Globe, March 29, 2007. --------------------------------------------------------------------------- Federal Government agencies have also suffered serious data security breaches. In February 2009, the Federal Aviation Administration revealed that computer hackers breached one of its servers and stole sensitive personal information concerning 45,000 current and former FAA employees.\4\ In June 2008, Walter Reed Medical Center reported that the personal information of 1,000 Military Health System beneficiaries may have been improperly disclosed through the unauthorized sharing of data.\5\ In May 2006, the Department of Veterans Affairs lost an unsecured laptop computer hard drive containing the health records and other sensitive personal information of approximately 26.5 million veterans and their spouses.\6\ And, in May, 2007, the Transportation Security Administration (TSA) reported that the personal and financial records of 100,000 TSA employees were lost after a computer hard drive was reported missing from the Agency's headquarters, exposing the Department of Homeland Security to potential national security risks.\7\ --------------------------------------------------------------------------- \4\``FAA Breach Heightens Cybersecurity Concerns,'' Federal Computer Week, February 23, 2009. \5\``Walter Reed: Data Breach at Military Hospitals,'' The Associated Press, June 3, 2008. \6\See Testimony of the Honorable James Nicholson, Secretary of Veterans Affairs, before the House Committee on Government Reform, June 8, 2006. \7\See ``TSA seeks hard drive, personal data for 100,000,'' USA Today, May 5, 2007; see also, the Federal Times, ``Union Sues TSA over loss of data on employees,'' May 9, 2007. --------------------------------------------------------------------------- The steady wave of data security breaches in recent years is a window into a broader, more challenging trend. Insecure databases are now low-hanging fruit for hackers looking to steal identities and commit fraud. Lax data security is also a threat to American businesses. The President's recent report on Cyberspace Policy Review noted that industry estimates of losses from intellectual property to data theft in 2008 range as high as $1 trillion.\8\ Because data security breaches adversely affect many segments of the American community, a meaningful solution to this growing problem must carefully balance the interests and needs of consumers, business, and the Government. --------------------------------------------------------------------------- \8\``President's Report on Cyberspace Policy Review,'' May 29, 2009, at page 2. --------------------------------------------------------------------------- C. THE PERSONAL DATA PRIVACY AND SECURITY ACT OF 2009 The Personal Data Privacy and Security Act of 2009 takes several meaningful and important steps to balance the interests and needs of consumers, business, and the Government in order to better protect Americans sensitive personal data. This legislation is supported by a wide range of consumer, business, and Government organizations, including, the United States Secret Service, the Federal Trade Commission, Microsoft, the Business Software Alliance, Consumer Federation of America, Consumers Union, the American Federation of Government Employees, Facebook, the Center for Democracy & Technology, and the ACLU. 1. Access and correction First, to provide consumers with tools that enable them to guard against identity theft, the bill gives consumers the right to know what sensitive personal information commercial data brokers have about them. In addition, the bill extends the protections afforded under the Fair and Accurate Credit Transactions Act (FACTA) to this data, by allowing consumers to correct their personal information if it is inaccurate. Under circumstances where a business entity makes an adverse decision based on information provided to it by a data broker, the bill also requires that the business entity notify the consumer of the adverse decision and provide the consumer with the information needed to contact the data broker and correct the information. There is an exemption to this requirement for fraud databases, to ensure that the Government can detect and combat fraud. The right of consumers to access and correct their own sensitive personal data is a simple matter of fairness. The principles of access and correction incorporated in the bill have precedent in the credit reporting industry context and these principles have been adapted to the data broker industry. 2. Data Security Program Second, the bill recognizes that, in the Information Age, any company that wants to be trusted by the public must earn that trust by vigilantly protecting the information that it uses and collects. The bill takes important steps to accomplish this goal, by requiring that companies that have databases with sensitive personal information on more than 10,000 Americans establish and implement a data privacy and security program. There are exemptions to this requirement for companies already subject to data security requirements under the Gramm-Leach- Bliley (GLB) Act and the Health Information Portability and Accountability (HIPAA) Act. 3. Notice Third, because American consumers should know when they are at risk of identity theft, or other harms because of a data security breach, the bill also requires that business entities and Federal agencies promptly notify affected individuals and law enforcement when a data security breach occurs. Armed with such knowledge, consumers can take steps to protect themselves, their families, and their personal and financial well-being. The trigger for notice to individuals is ``significant risk of harm,'' and this trigger includes appropriate checks and balances to prevent over-notification and underreporting of data security breaches. In this regard, the bill recognizes that there are harms other than identity theft that can result from a data security breach, including harm from other financial crimes, stalking, and other criminal activity. Consequently, the bill adopts a trigger of ``significant risk of harm,'' rather than a weaker trigger of ``significant risk of identity theft,'' for the notice requirement for individuals in the legislation.\9\ There are exemptions to the notice requirements for individuals for national security and law enforcement reasons, as well as an exemption to this requirement for credit card companies that have effective fraud-prevention programs.\10\ The bill contemplates that a reasonable delay of notice could include the time necessary for a victim company to conduct a risk assessment under Section 302(a)(3). --------------------------------------------------------------------------- \9\A notice trigger based upon ``significant risk of identity theft'' would weaken the notice provisions in S. 1490 and such a standard would also fail to adequately protect consumers. First, the weaker ``significant risk of identity theft'' standard only requires notification of consumers when a business entity or Federal agency affirmatively finds that there is a significant risk of the specific crime of identity theft. In addition, as discussed above, there are other harms that could result from data security breaches, such as stalking, physical harm, or threats to national security, that are not addressed or covered under a notice standard based solely on the risk of identity theft. \10\Some have incorrectly argued that S. 1490 will result in over- notification of consumers and in a lack of clarity for business. To the contrary, the bill contains meaningful checks and balances, including the risk assessment and financial fraud prevention provisions in Section 312, to prevent over-notification and the underreporting of data security breaches. The risk assessment provision in Section 312(b), furthermore, provides businesses with an opportunity to fully evaluate data security breaches when they occur, to determine whether notice should be provided to consumers. In addition, the bill complements and properly builds upon other Federal statutes governing data privacy and security to ensure clarity for business in this area. For example, to avoid conflicting obligations regarding the bill's data security program requirements, Section 301(c) specifically exempts financial institutions that are already subject to, and complying with, the data privacy and security requirements under GLB, as well as HIPAA- regulated entities. The bill also builds upon existing Federal laws and guidance, such as the data security protections established by the Office of the Comptroller of the Currency for financial institutions and the access and correction provisions in the Fair Credit Reporting Act and the Fair and Accurate Credit Transactions Act, to clarify the obligations of business. --------------------------------------------------------------------------- In addition, to strengthen the tools available to law enforcement to investigate data security breaches and to combat identity theft, the bill also requires that business entities and Federal agencies notify the Secret Service of a data security breach within 14 days of the occurrence of the breach. This notice will provide law enforcement with a valuable head start in pursuing the perpetrators of cyber intrusions and identity theft. The bill also empowers the Secret Service to obtain additional information about the data breach from business entities and Federal agencies to determine whether notice of the breach should be given to consumers and other law enforcement agencies. This mechanism gives businesses and agencies certainty as to their legal obligation to provide notice and prevents them from sending notices when they are unnecessary, which over time, could result in consumers ignoring such notices. The notice of breach provisions for electronic health records that Congress enacted in the American Reinvestment and Recovery Act (ARRA) apply to information that is accessed or disclosed from personal health records. The notice of breach provisions in this bill are not intended to preempt the notice requirements established by ARRA. The bill also recognizes the benefits of separating the notice obligations of owners of personally identifiable information and third parties who use and manage personally identifiable information on the owner's behalf. The bill imposes an obligation on third parties that suffer a data security breach to notify the owners or licensees of the personally identifiable information, who would, in turn, notify consumers. If the owner or licensee of the data gives notice of the breach to the consumer, then the breached third party does not have to give notice. The bill also states that it does not abrogate any agreement between a breached entity and a data owner or licensee to provide the required notice in the event of a breach. Separating the notice obligations between data owners and licensees, and third parties, will encourage data owners and licensees to address the notice obligation in agreements with third parties and will help to ensure that consumers will receive timely notice from the entity with which they have a direct relationship and would recognize upon receiving such notice, in the event of a data security breach. However, this notice can only be effective if the entity which suffers the breach, and any other third parties, provide to the entity who will give the notice complete and timely information about the nature and scope of the breach and the identity of the entity breached. 4. Enforcement Fourth, this legislation also establishes tough, but fair, enforcement provisions to punish those who fail to notify consumers of a data security breach, or to maintain a data security program. The bill makes it a crime for any individual, with knowledge of the obligation to provide notice of a security breach, to intentionally and willfully conceal the breach that subsequently causes economic harm to consumers. Violators of this provision are subject to a criminal fine under title 18, or imprisonment of up to five years, or both. This provision is no more onerous than criminal provisions for other types of fraudulent conduct which causes similar harm to individuals. The bill also contains strong civil enforcement provisions. The bill authorizes the Federal Trade Commission (FTC) to bring a civil enforcement action for violations of the data security program requirements in the bill and to recover a civil penalty of not more than $5,000 per violation, per day and a maximum penalty of $500,000 per violation.\11\ In addition, the bill authorizes State Attorneys General, or the U.S. Attorney General, to bring a civil enforcement action against violators of the notice requirements in the bill and to recover a civil penalty of not more than $1,000 per individual, per day and a maximum penalty of $1,000,000 per violation, unless the violation is willful or intentional. It is not uncommon for Congress to authorize both Federal and State regulators to enforce Federal consumer protection laws. In fact, Federal antitrust laws, the CAN-SPAM Act (Controlling the Assault of Non- Solicited Pornography and Marketing Act of 2003), and the Communications Act of 1934 also authorize State Attorneys General to seek damages or to enjoin further Federal law violations. The State enforcement provisions in this bill are modeled after those laws. --------------------------------------------------------------------------- \11\Double penalties may be recovered for intentional or willful violations of this provision. --------------------------------------------------------------------------- The bill authorizes the Secret Service to investigate data security breaches and to provide guidance to companies that have been the victim of a data security breach on their notice obligations under the bill. Since 1984, Congress has provided statutory authority for the Secret Service to investigate a wide range of financial crimes, including offenses under 18 U.S.C. Sec. 1028 (false identification fraud), Sec. 1029 (access device fraud) and Sec. 1030 (computer fraud). In the last two decades, the Secret Service has conducted more than 733,000 financial fraud and identity theft investigations involving these statutes, leading to the prosecution of more than 116,000 individuals.\12\ Pursuant to the notice requirements in the bill, the Secret Service's Criminal Intelligence Section would analyze, coordinate and monitor all data breach investigations reported to it by victim companies. --------------------------------------------------------------------------- \12\See Secret Service White Paper, ``Data Broker Legislation--S. 1490,'' May 2007. --------------------------------------------------------------------------- When the Criminal Intelligence Section receives notification of a data breach, it would immediately analyze the information and refer the case to the appropriate field office and/or electronic/financial crimes task force, for investigation and prosecution. Throughout this process, the Criminal Intelligence Section would stand ready to support the victim company, investigating field office or task force, and prosecuting U.S. Attorney's Office as needed. The Criminal Intelligence Section would also coordinate with the Computer Crime and Intellectual Property Sections (CCIPS) of the Department of Justice to ensure proper and timely response through the Federal judicial system, regardless of where the data breach occurred. In addition, the Criminal Intelligence Section would have the responsibility of notifying Federal law enforcement and State Attorneys General as mandated by the legislation. Section 316(b) of the bill expressly requires that the FBI must be notified of any data security breach that involves espionage, foreign counterintelligence, or national security matters. Under title 18, section 1030(d)(1), the Secret Service and FBI have concurrent jurisdiction to investigate Section 1030 violations relating to false identification fraud, access device fraud, and computer fraud. Section 1030 designates the FBI as the primary investigative agency for such offenses if they involve espionage, foreign counterintelligence, and other national security matters. Accordingly, the bill incorporates this requirement in the context of breach notice, so that the FBI is promptly notified of any data breach matters that involve espionage, foreign counterintelligence, or national security. 5. Preemption The legislation also carefully balances the need for Federal uniformity in certain data privacy laws and the important role of States as leaders on privacy issues. Section 304 of the bill (relation to other laws) preempts State laws with respect to requirements for administrative, technical, and physical safeguards for the protection of sensitive personally identifying information. These requirements, which are referred to in this Section, are the same requirements set forth in Section 302 of the bill. Section 319 of the bill (effect on Federal and State laws) also preempts State laws on breach notification. However, in recognition of the important role that the States have played in developing breach notification, the bill carves out an exception to preemption for State laws regarding providing consumers with information about victim protection assistance that is provided for by the State. In addition, Section 319 of the bill provides that the notice requirements in S. 1490 supersede ``any provision of law of any State relating to notification of a security breach, except as provided in Section 314(b) of the bill.'' The bill's subtitle on security breach notification applies to ``any agency, or business entity engaged in interstate commerce,'' and the term ``agency'' is defined in the bill by referencing section 551 of title 5, United States Code, which pertains to Federal Governmental entities. As a result, the security breach notification requirements in the bill have no application to State and local governmental entities, and the Committee does not intend for this provision to preempt or displace State laws that address obligations of State and local governmental entities to provide notice of security breach. 6. Government Use Finally, the bill establishes important new checks on the Government's use of personal data. In July 2009, the Government Accountability Office (GAO) released a new report on Government information security policies that found persistent weaknesses in Federal agency data security policies and practices.\13\ According to the report, all 24 of the major Federal agencies had weaknesses in their information security controls.\14\ To address these concerns, the bill requires that Federal agencies consider whether data brokers can be trusted with Government contracts that involve sensitive information about Americans before awarding Government contracts. The bill also requires that Federal agencies audit and evaluate the information security practices of Government contractors and third parties that support the information technology systems of Government agencies. In addition, the bill requires that Federal agencies adopt regulations that specify the personnel allowed to access Government data bases containing personally identifiable information and adopt regulations that establish the standards for ensuring, among other things, the legitimate Government use of sensitive personal information.\15\ --------------------------------------------------------------------------- \13\See Report of the U.S. Government Accountability Office, ``Information Security: Agencies Continue to Report Progress, but Need to Mitigate Persistent Weaknesses,'' (July 2009). \14\Id. \15\In their accompanying views, the Minority makes several arguments in opposition to the bill that are without merit. First, the arguments that the bill's definitions for ``sensitive personally identifiable information'' and ``security breach'' are too broad are wholly unfounded. The Committee crafted the definition for sensitive personally identifiable information after careful consultation with the United States Secret Service, the FTC and several consumer organizations that have had significant experience with the kinds of information that is most vulnerable to identity theft and other cyber crimes. Moreover, the definition of security breach is fully consistent with other Federal computer fraud and privacy laws. See, e.g., Sec. Sec. 18 U.S.C. 1030 (a)(2) and (3) (Computer Fraud and Abuse Act); 18 U.S.C. Sec. Sec. 2510(4) (definition of ``intercept'' means ``the aural or other acquisition of the contents of any wire, electronic, or oral communication through the use of any electronic, mechanical, or other device.''). The Minority also incorrectly states that the bill does not exempt entities that are already regulated by other Federal laws governing data privacy and security. Section 201(b) of the bill clearly and expressly exempts FCRA, GLB and HIPPA-regulated entities from the transparency and accuracy provisions of the bill. Moreover, section 301(c) expressly exempts GLB and HIPPA-regulated entities from the data privacy and security program requirements in the bill. Lastly, the notion that the bill should exclude all law enforcement and counterterrorism programs from the privacy impact assessment requirements in the bill is simply without merit. The Minority cites no evidence to demonstrate that privacy impact assessments posed a unique concern for Federal agencies that are engaged in law enforcement or counterterrorism activities. To the contrary, many Federal agencies already conduct privacy impact assessments for these kinds of programs, to the benefit of all Americans. --------------------------------------------------------------------------- II. History of the Bill and Committee Consideration A. INTRODUCTION OF THE BILL Chairman Leahy introduced the Personal Data Privacy and Security Act of 2009 on July 22, 2009. This bipartisan, comprehensive privacy bill is cosponsored by Senators Specter, Hatch, Schumer, Durbin, Feingold, Cardin, and Brown. This legislation is very similar to the Personal Data Privacy and Security Act of 2007, S. 495, which Senators Leahy and Specter introduced on July 6, 2007 and to the Personal Data Privacy and Security Act of 2005, S. 1789, which Senators Leahy and Specter introduced on September 29, 2005. The Judiciary Committee favorably reported S. 495 on May 3, 2007 by voice vote and S. 1789 on November 17, 2005, by a bipartisan vote of 13 to 5. The Committee has held three hearings related to S. 1490. On April 13, 2005, the Judiciary Committee held a hearing titled, ``Securing Electronic Personal Data: Striking a Balance between Privacy and Commercial and Governmental Use.'' This hearing examined the practices and weaknesses of the rapidly growing data broker industry and, in particular, how data brokers were handling the most sensitive personal information about Americans. The hearing also explored how Congress could establish a sound legal framework for future data privacy legislation that would ensure that privacy, security, and civil liberties will not be pushed aside in the new Digital Age. The following witnesses testified at this hearing: Deborah Platt Majoras, Chairman of the Federal Trade Commission; Chris Swecker, Assistant Director for the Criminal Investigative Division at the Federal Bureau of Investigation; Larry D. Johnson, Special Agent in Charge of the Criminal Investigative Division of the U.S. Secret Service; William H. Sorrell, President of the National Association of Attorneys General; Douglas C. Curling, President, Chief Operating Officer, and Director of ChoicePoint, Inc.; Kurt P. Sanford, President & CEO of the U.S. Corporate & Federal Markets LexisNexis Group; Jennifer T. Barrett, Chief Privacy Officer of Acxiom Corp.; James X. Dempsey, Executive Director of the Center for Democracy & Technology; and Robert Douglas, CEO of PrivacyToday.com. On March 21, 2007, the Judiciary Committee's Subcommittee on Terrorism, Technology and Homeland Security held a hearing titled, ``Identity Theft: Innovative Solutions for an Evolving Problem.'' This hearing examined the problem of identity theft and legislative solutions to this problem, and discussed the need for Federal legislation on data breach notification. The following witnesses testified at this hearing: Ronald Tenpas, Associate Deputy Attorney General, United States Department of Justice; Lydia Parnes, Director, Bureau of Consumer Protection, Federal Trade Commission; James Davis, Chief Information Officer and Vice Chancellor for Information Technology, University of California, Los Angeles; Joanne McNabb, Chief, California Office of Privacy Protection; and Chris Jay Hoofnagle, Senior Staff Attorney, Samuelson Law, Technology & Public Policy Clinic, School of Law (Boalt Hall), University of California, Berkeley. On January 27, 2009, the Committee held a hearing titled, ``Health IT: Protecting Americans' Privacy in the Digital Age.'' This hearing examined best practices for protecting electronic health records and for protecting Americans' health privacy. The following witnesses appeared at that hearing: Adrienne Hahn, Senior Attorney and Program Manager for Health Policy, Consumers Union; James Hester, Jr. Ph.D., Director, Health Care Reform Commission, Vermont State Legislature; Deven McGraw, Director, Health Privacy Project, Center for Democracy and Technology; Michael Stokes, Principal Lead Program Manager, HealthVault, Microsoft Corporation; John Houston, Vice President of Information Security and Privacy, University of Pittsburgh Medical Center; and David Merritt, Project Director, Center for Health Transformation and the Gingrich Group. B. COMMITTEE CONSIDERATION On October 23, 2009, S. 1490 was placed on the Judiciary Committee's agenda. The Committee considered this legislation on November 5, 2009. During the Committee's consideration of S. 1490, three amendments to the bill were offered and one amendment was unanimously adopted by the Committee: First, the Committee adopted, without objection, a manager's amendment to S. 1490 which Chairman Leahy offered on behalf of himself and Senator Specter. The manager's amendment clarifies enforcement provisions in the bill, including: (1) adding a fraud data base exemption to the provisions allowing consumers to access and correct their personal data; (2) clarifying that the FTC has the authority to enforce the civil enforcement provisions in the bill with respect to business entities; (3) harmonizing the notice of breach provisions in the bill; (4) striking the provision establishing an Office of Federal Identity Protection within the FTC; (5) clarifying the definition of encryption and the standards for the data privacy and security program safe harbor; and (6) amending the definition of security breach to clarify that fraud is a harm that the bill seeks to prevent and address. The Committee rejected by a vote of 6 to 13 an amendment offered by Senator Sessions (GRA09859) which would limit the information included in the definition of ``security breach.'' The Committee rejected by a vote of 7 to 12 an amendment offered by Senator Kyl (GRA09884) which would create an exception to the requirement that that Federal agencies appoint a Chief Privacy Officer and conduct privacy impact assessments for law enforcement and national security matters. The Committee then voted to report the Personal Data Privacy and Security Act of 2009, as amended, favorably to the Senate. The Committee proceeded by roll call vote as follows: Tally: 14 Yeas, 5 Nays Yeas (14): Cardin (D-MD), Durbin (D-IL), Feingold (D-WI), Feinstein (D-CA), Franken (D-MN), Grassley (R-IA), Hatch (R- UT), Kaufman (D-DE), Klobuchar (D-MN), Kohl (D-WI), Leahy (D- VT), Schumer (D-NY), Specter (D-PA), Whitehouse (D-RI). Nays (5): Coburn (R-OK), Cornyn (R-TX), Graham (R-SC), Kyl (R-AZ), Sessions (R-AL). III. Section-by-Section Summary of the Bill Section 1. Short title This section provides that the legislation may be cited as the ``Personal Data Privacy and Security Act of 2009.'' TITLE I--ENHANCING PUNISHMENT FOR IDENTITY THEFT AND OTHER VIOLATIONS OF DATA PRIVACY AND SECURITY Section 101. Organized criminal activity in connection with unauthorized access to personally identifiable information Section 101 amends 18 U.S.C. 1961(1) to add intentionally accessing a computer without authorization to the definition of racketeering activity. Section 102. Concealment of security breaches involving personally identifiable information Section 102 makes it a crime for a person who knows of a security breach requiring notice to individuals under title III of this Act, and of the obligation to provide such notice, to intentionally and willfully conceal the fact of, or information related to, that security breach. Punishment is either a fine under title 18, or imprisonment of up to 5 years, or both. Section 103. Review and amendment of Federal sentencing guidelines related to fraudulent access to or misuse of digitized or electronic personally identifiable information Section 103 requires the U.S. Sentencing Commission to review and, if appropriate, amend the Federal sentencing guidelines for persons convicted of using fraud to access, or to misuse, digitized or electronic personally identifiable information, including sentencing guidelines for the offense of identity theft or any offense under 18 U.S.C. Sec. Sec. 1028, 1028A, 1030, 1030A, 2511, and 2701. Section 104. Effects of identity theft on bankruptcy proceedings Section 104 amends 11 U.S.C. Sec. Sec. 101 and 707(b) to exempt debtors from section 707(b)(2) means testing under the Bankruptcy Abuse Prevention and Consumer Protection Act, if the debtor's financial problems were caused by identity theft. This section requires that, to be eligible for this exemption, the identity theft must result in at least $20,000 in debt in one year, 50 percent of the debtor's bankruptcy claims, or 25 percent of the debtor's gross income for a 12-month period. The purpose of this provision is to ensure that victims who incur debts due to identity theft have all available protections under the bankruptcy code. TITLE II--DATA BROKERS Title II addresses the data brokering industry that has come of age, prompted by technology developments and changes in marketplace incentives. Data brokers collect and sell billions of private and public records about individuals, including personal, financial, insurance, medical and ``lifestyle'' data, as well as other sensitive information, such as details on neighbors and relatives, or even digital photographs of individuals. Companies like ChoicePoint, LexisNexis, and Acxiom, which are generally regarded as leaders in this industry, use this information to provide a variety of products and services, including fraud prevention, identity verification, background screening, risk assessments, individual digital dossiers, and tools for analyzing data. Although some of the products and services offered by data brokers are subject to existing privacy and security protections aimed at credit reporting agencies and the financial industry under the Fair Credit Reporting Act (FCRA) and Gramm-Leach-Bliley (GLB), many are not subject to such protections. In addition, there has been insufficient oversight of the industry's practices, including the accuracy and handling of sensitive data. These concerns have been highlighted by numerous reports of harm caused by inaccurate data records. This title draws from the principles in FCRA and GLB to close these loopholes. Section 201. Transparency and accuracy of data collection Section 201 applies disclosure and accuracy requirements to data brokers that engage in interstate commerce and offer any product or service to third parties that allows access to, or use, compilation, distribution, processing, analyzing or evaluating of personally identifiable information. Section 201 requirements are not applicable to products and services already subject to similar disclosure and accuracy provisions under FCRA and GLB, and implementing regulations. Section 201 requires data brokers to disclose to individuals, upon their request and for a reasonable fee, all personal electronic records pertaining to that individual that the data broker maintains for disclosure to third parties. Section 201 also requires data brokers to establish a fair process for individuals to dispute, flag or correct inaccuracies in any information that was not obtained from a licensor or public record. Modeled after section 611 of FCRA, section 201 requires data brokers to: (1) investigate disputed information within 30 days; (2) notify any data furnishers who provided disputed information and identify such data furnishers to the individual disputing the information; (3) provide notice to individuals on dispute resolution procedures and the status of dispute investigations, including whether the dispute was determined to be frivolous or irrelevant, whether the disputed information was confirmed to be accurate, or whether the disputed information was deleted as inaccurate; and (4) allow individuals to include a statement of dispute in the electronic records containing the disputed personal information. If the information was obtained from a licensor or public record, the data broker must provide the individual with contact information for the source of the data. Section 201 also provides that, under circumstances where a person or business takes an adverse action regarding a consumer, which is based in whole or in part on data maintained by a data broker, the person or business must notify the consumer in writing of the adverse action and provide contact information for the data broker that furnished the information, a copy of the information at no cost and the procedures for correcting such information. There is an exemption for fraud databases. Section 202. Enforcement A data broker that violates the access and correction provisions of section 201 is subject to penalties of $1,000 per violation per day with a maximum penalty of $250,000 per violation. A data broker that intentionally or willfully violates these provisions is subject to additional penalties of $1,000 per violation per day, with a maximum of an additional penalty of $250,000 per violation. The Federal Trade Commission (FTC) will enforce section 202 and may bring an enforcement action to recover penalties under this provision. States have the right to bring civil actions under this section on behalf of their residents in U.S. district courts, and this section requires that States provide advance notice of such court proceedings to the FTC, where practicable. The FTC also has the right to stay any State action brought under this section and to intervene in a State action. Section 203--Relation to State Laws Section 203 preempts State laws with respect to the access and correction of personal electronic records held by data brokers. Section 204--Effective Date Section 204 provides that title II will take effect 180 days after the date of the enactment of the Personal Data Privacy and Security Act. TITLE III--PRIVACY AND SECURITY OF PERSONALLY IDENTIFIABLE INFORMATION SUBTITLE A--A DATA PRIVACY AND SECURITY PROGRAM Section 301. Purpose and Applicability of Data Privacy and Security Program Section 301 addresses the data privacy and security requirements of section 302 for business entities that compile, access, use, process, license, distribute, analyze or evaluate personally identifiable information in electronic or digital form on 10,000 or more U.S. persons. Section 301 exempts from the data privacy and security requirements of section 302 businesses already subject to, and complying with, similar data privacy and security requirements under GLB and implementing regulations, as well as examination for compliance by Federal functional regulators as defined in GLB, and HIPAA regulated entities. Section 302. Requirements for a Data Privacy and Security Program Section 302 requires covered business entities to create a data privacy and security program to protect and secure sensitive data. The requirements for the data security program are modeled after those established by the Office of the Comptroller of the Currency for financial institutions in its Interagency Guidelines Establishing Standards for Safeguarding Customer Information, 12 C.F.R. Sec. 30.6 Appendix B (2005). A data privacy and security program must be designed to ensure security and confidentiality of personal records, protect against anticipated threats and hazards to the security and integrity of personal electronic records, protect against unauthorized access and use of personal records, and ensure proper back-up storage and disposal of personally identifiable information. In addition, section 302 requires a covered business entity to: (1) regularly assess, manage and control risks to improve its data privacy and security program; (2) provide employee training to implement its data privacy and security program; (3) conduct tests to identify system vulnerabilities; (4) ensure that overseas service providers retained to handle personally identifiable information, but which are not covered by the provisions of this Act, take reasonable steps to secure that data; and (5) periodically assess its data privacy and security program to ensure that the program addresses current threats. Section 302 also requires that the data security program include measures that allow the data broker to: (1) track who has access to sensitive personally identifiable information maintained by the data broker; and (2) ensure that third parties or customers who are authorized to access this information have a valid legal reason for accessing or acquiring the information. Section 303. Enforcement Section 303 gives the FTC the right to bring an enforcement action for violations of sections 301 and 302 in subtitle A. Business entities that violate sections 301 and 302 are subject to a civil penalty of not more than $5,000 per violation, per day and a maximum penalty of $500,000 per violation. Intentional and willful violations of these sections are subject to an additional civil penalty of $5,000 per violation, per day and an additional maximum penalty of $500,000 per violation. This section also grants States the right to bring civil actions on behalf of their residents in U.S. district courts, and requires States to give advance notice of such court proceedings to the FTC, where practicable. There is no private right of action under this subtitle. Section 304. Relation to other laws Section 304 preempts State laws relating to administrative, technical, and physical safeguards for the protection of sensitive personally identifying information. The requirements referred to in this section are the same requirements set forth in section 302. SUBTITLE B--SECURITY BREACH NOTIFICATION Section 311. Notice to individuals Section 311 requires that a business entity or Federal agency give notice to an individual whose sensitive personally identifiable information has been, or is reasonably believed to have been, compromised, following the discovery of a data security breach. The notice required under section 311 must be made without unreasonable delay. Section 311(b) requires that a business entity or Federal agency that does not own or license the information compromised as a result of a data security breach notify the owner or licensee of the data. The owner or licensee of the data would then provide the notice to individuals as required under this section. However, agreements between owners, licensees and third parties regarding the obligation to provide notice under section 311 are preserved. Section 312. Exemptions Section 312 allows a business entity or Federal agency to delay notification by providing a written certification to the U.S. Secret Service that providing such notice would impede a criminal investigation, or damage national security. This provision further requires that the Secret Service must review all certifications from business entities (and may review certifications from agencies) seeking an exemption from the notice requirements based upon national security or law enforcement, to determine if the exemption sought has merit. The Secret Service has 10 business days to conduct this review, which can be extended by the Secret Service if additional information is needed. Upon completion of the review, the Secret Service must provide written notice of its determination to the agency or business entity that provided the certification. If the Secret Service determines that the exemption is without merit, the exemption will not apply. Section 312 also prohibits Federal agencies from providing a written certification to delay notice, to conceal violations of law, prevent embarrassment or restrain competition. Section 312(b) exempts a business entity or agency that conducts a risk assessment after a data breach occurs, and finds no significant risk of harm to the individuals whose sensitive personally identifiable information has been compromised, from the notice requirements of section 311, provided that: (1) the business entity or Federal agency notifies the Secret Service of the results of the risk assessment within 45 days of the security breach; and (2) the Secret Service does not determine within 10 business days of receipt the notification that a significant risk of harm does in fact exist and that notice of the breach should be given. Under section 312(b) a rebuttable presumption exists that the use of encryption technology, or other technologies that render the sensitive personally identifiable information indecipherable, and thus, that there is no significant risk of harm. Section 312(c) also provides a financial fraud prevention exemption from the notice requirement, if a business entity has a program to block the fraudulent use of information--such as credit card numbers--to avoid fraudulent transactions. Debit cards and other financial instruments are not covered by this exemption. Section 313. Methods of notice Section 313 provides that notice to individuals may be given in writing to the individuals last known address, by telephone or via email notice, if the individual has consented to email notice. Media notice is also required if the number of residents in a particular State whose information was, or is reasonably believed to have been, compromised exceeds 5,000 individuals. Section 314. Content of notification Section 314 requires that the notice detail the nature of the personally identifiable information that has been compromised by the data security beach, a toll free number to contact the business entity or Federal agency that suffered the breach, and the toll free numbers and addresses of major credit reporting agencies. Section 314 also preserves the right of States to require that additional information about victim protection assistance be included in the notice. Section 315. Coordination of notification with credit reporting agencies Section 315 requires that, for situations where notice of a data security breach is required for 5,000 or more individuals, a business entity or Federal agency must also provide advance notice of the breach to consumer reporting agencies. Section 316. Notice to law enforcement Section 316 requires that business entities and Federal agencies notify the Secret Service of the fact that a security breach occurred within 14 days of the breach, if the data security breach involves: (1) more than 10,000 individuals; (2) a database that contains information about more than one million individuals; (3) a Federal Government database; or (4) individuals known to be Government employees or contractors involved in national security or law enforcement. The Secret Service is responsible for notifying other Federal law enforcement agencies, including the FBI, and the relevant State Attorneys General within 14 days of receiving notice of a data security breach. Section 317. Enforcement Section 317 allows the Attorney General to bring a civil action to recover penalties for violations of the notification requirements in subtitle B. Violators are subject to a civil penalty of up to $1,000 per day, per individual and a maximum penalty of $1 million per violation, unless the violation is willful or intentional. Section 318. Enforcement by State Attorneys General Section 318 allows State Attorneys General to bring a civil action in U.S. district court to enforce subtitle B. The Attorney General may stay, or intervene in, any State action brought under this subtitle. Section 319. Effect on Federal and State law Section 319 preempts State laws on breach notification, with the exception of State laws regarding providing consumers with information about victim protection assistance that is available to consumers in a particular State. Because the breach notification requirements in the bill do not apply to State and local Government entities, this provision does not preempt State or local laws regarding the obligations of State and local government entities to provide notice of a data security breach. Section 320. Authorization of appropriations Section 320 authorizes funds for the Secret Service as may be necessary to carry out investigations and risk assessments of security breaches under the requirements of subtitle B. Section 321. Reporting on risk assessment exemptions Section 321 requires that the Secret Service report to Congress on the number and nature of data security breach notices invoking the risk assessment exemption and the number and nature of data security breaches subject to the national security and law enforcement exemptions. Section 322. Effective date Subtitle B takes effect 90 days after the date of enactment of the Personal Data Privacy and Security Act. TITLE IV--GOVERNMENT ACCESS TO AND USE OF COMMERCIAL DATA Section 401. General Services Administration review of government contracts Section 401 requires the General Services Administration (GSA), when issuing contracts for more than $500,000, to review and consider Government contractors' programs for securing the privacy and security of personally identifiable information, contractors' compliance with such programs, and any data security breaches of contractors' systems and the responses to those breaches. In addition, GSA is required to include penalties in contracts involving personally identifiable information for (1) failure to comply with subtitle A (Data Privacy and Security Programs) and subtitle B (Security Breach Notification) of title III of this Act; and (2) knowingly providing inaccurate information. Section 401 also requires that GSA include a contract requirement that Government contractors exercise due diligence in selecting service providers that handle personally identifiable information and that Government contractors take reasonable steps to select service providers that maintain appropriate data privacy and security safeguards. Section 402. Requirement to audit information security practices of contractors and third party business entities Section 402 amends 44 Sec. U.S.C. 3544 to require that Federal agencies audit and evaluate the information security practices of Government contractors and third parties that support the information technology systems of Government agencies. Section 403. Privacy impact assessment of Government use of commercial information services containing personally identifiable information Section 403(a) updates the E-Government Act of 2002 to require Federal departments and agencies that purchase or subscribe to personally identifiable information from a commercial entity, to conduct privacy impact assessments on the use of those services. In addition, section 403(b) requires Federal departments and agencies that use such services to publish a description of the database, the name of the provider and the contract amount. Section 403 also requires that Federal departments and agencies adopt regulations that specify the personnel allowed to access Government databases containing personally identifiable information and the standards for ensuring, among other things, the legitimate Government use of such information, the retention and disclosure of such information, and the accuracy, relevance, completeness and timeliness of such information. Section 403 further provides that Federal departments and agencies must include in contracts for more than $500,000 and agreements with commercial data services, penalty provisions for circumstances where a data broker delivers personally identifiable information that it knows to be inaccurate, or has been informed is inaccurate and is in fact inaccurate. Section 403(c) also requires that data brokers that engage service providers, who are not subject to the data security program requirements of the bill, exercise due diligence in retaining these service providers to ensure that adequate safeguards for personally identifiable information are in place. Section 403(d) directs the Government Accountability Office to conduct a follow-up study and report to Congress on Federal agency use of commercial databases, including the impact of such use on privacy and security, sufficiency of privacy and security protections, and the extent to which commercial data providers are penalized for privacy and security failures. Section 404. Implementation of Chief Privacy Officer requirements Section 522 of the Transportation, Treasury, Independent Agencies, and General Government Appropriations Act, 2005 requires each agency to create a Chief Privacy Officer. Section 404 facilitates the efficient and effective implementation of this requirement by directing the Department of Justice to implement this provision by designating a Department-wide Chief Privacy Officer, whose primary role is to fulfill the duties and responsibilities of Chief Privacy Officer. In addition, the DOJ Chief Privacy Officer will report directly to the Deputy Attorney General. Section 404 also stipulates responsibilities for the DOJ Chief Privacy Officer that are tailored to the mission of the Department and the requirements of this Act. Specifically, this section directs the Chief Privacy Officer to: (1) oversee DOJ's implementation of the privacy impact assessment requirement under section 402; (2) promote the use of law enforcement technologies that sustain, rather than erode, privacy protections and ensure that technologies relating to the use, collection and disclosure of personally identifiable information preserve privacy and security; and (3) coordinate implementation with the Privacy and Civil Liberties Oversight Board, established in the Intelligence Reform and Terrorism Prevention Act of 2004. IV. Congressional Budget Office Cost Estimate The Committee sets forth, with respect to the bill, S. 1490, the following estimate and comparison prepared by the Director of the Congressional Budget Office under section 402 of the Congressional Budget Act of 1974: December 2, 2009. Hon. Patrick J. Leahy, Chairman, Committee on the Judiciary, U.S. Senate, Washington, DC. Dear Mr. Chairman: The Congressional Budget Office has prepared the enclosed cost estimate for S. 1490, the Personal Data Privacy and Security Act of 2009. If you wish further details on this estimate, we will be pleased to provide them. The CBO staff contact is Matthew Pickford. Sincerely, Douglas W. Elmendorf. Enclosure. S. 1490--Personal Data Privacy and Security Act of 2009 Summary: S. 1490 would establish new federal crimes relating to the unauthorized access of sensitive personal information. The bill also would require most government agencies or businesses that collect, transmit, store, or use personal information to notify any individuals whose information has been unlawfully accessed. In addition, S. 1490 would require data brokers to allow individuals access to their electronic records and to publish procedures for individuals to respond to inaccuracies. Assuming appropriation of the necessary amounts, CBO estimates that implementing S. 1490 would cost $25 million over the 2010-2014 period. Enacting S. 1490 could increase civil and criminal penalties and thus could affect federal revenues and direct spending, but CBO estimates that such effects would not be significant in any year. Further, enacting S. 1490 could affect direct spending by agencies not funded through annual appropriations. CBO estimates, however, that any changes in net spending by those agencies would be negligible. S. 1490 contains intergovernmental mandates as defined in the Unfunded Mandates Reform Act (UMRA), but CBO estimates that the cost of complying with the requirements would be small and would not exceed the threshold established in UMRA ($69 million in 2009, adjusted annually for inflation). The new standards and requirements for data security in S. 1490 would constitute private-sector mandates as defined in UMRA. While much of the industry already complies in large part with the many of those requirements, a large number of entities in the private sector would face new security standards. CBO estimates that the aggregate direct cost of complying with those new standards would probably exceed the annual threshold established in UMRA for private-sector mandates ($139 million in 2009, adjusted annually for inflation) in at least one of the first five years the mandates are in effect. Estimated cost to the Federal Government: The estimated budgetary impact of S. 1490 is shown in the following table. The costs of this legislation fall within budget functions 750 (administration of justice), 800 (general government), and any other budget functions that contain salaries and expenses. ---------------------------------------------------------------------------------------------------------------- By fiscal year, in millions of dollars-- ------------------------------------------------------------ 2010 2011 2012 2013 2014 2010-2014 ---------------------------------------------------------------------------------------------------------------- CHANGES IN SPENDING SUBJECT TO APPROPRIATION Estimated Authorization Level...................... 3 5 7 7 7 29 Estimated Outlays.................................. 1 3 7 7 7 25 ---------------------------------------------------------------------------------------------------------------- Basis of estimate: For this estimate, CBO assumes that the bill will be enacted early in calendar year 2010, that the necessary amounts will be provided each year, and that spending will follow historical patterns for similar programs. Most of the provisions of the bill would codify the current practices of the federal government regarding data security and procedures for notification of security breaches. While existing laws generally do not require agencies to notify affected individuals of data breaches, agencies that have experienced security breaches have generally provided such notification. Therefore, CBO expects that codifying this practice would probably not lead to a significant increase in spending. Nonetheless, the federal government is one of the largest providers, collectors, consumers, and disseminators of personnel information in the United States. Although CBO cannot anticipate the number or extent of security breaches, a significant breach of security involving a major collector of personnel information, such as the Internal Revenue Service or the Social Security Administration, could involve millions of individuals and result in significant costs to notify individuals of such a breach. S. 1490 also would require federal agencies to provide several reports to the Congress concerning data security issues. The legislation would require agencies to conduct additional privacy impact assessments on commercially purchased data that contains personally identifiable information, and the Government Accountability Office would be required to report to the Congress on federal agencies' use of commercial information. In addition, the General Services Administration (GSA) would provide additional security assessments for certain government contracts involving personally identifiable information. Those assessments would include payroll processing, emergency response and recall, and medical data. Based on information from the Office of Management and Budget and GSA, CBO estimates that the additional staff needed to carry out those tasks and reporting requirements would cost $7 million annually when fully implemented. We expect that it would take about three years to fully implement the requirements. The legislation also would require a business entity or agency--under certain circumstances--to notify the Secret Service that a security breach has occurred but would permit entities or agencies to apply to the Secret Service for exemption from notice requirements if the personal data was encrypted or similarly protected or if notification would threaten national security. Based on information from the Secret Service, CBO estimates that any additional investigative or administrative costs to that agency would likely be less than $500,000 annually, subject to the availability of appropriated funds. Other provisions of the bill would require the Federal Trade Commission (FTC) to develop and enforce regulations that would require data brokers to allow individuals to access their personal information and to require companies to assess the vulnerability of their data systems. The FTC would be authorized to collect civil penalties for violations of those new regulations. CBO estimates that those provisions would have no significant effect on spending. Direct spending and revenues S. 1490 would establish new federal crimes relating to the unauthorized access of sensitive personal information. Enacting the bill could increase collections of civil and criminal fines for violations of the bill's provisions. CBO estimates that any additional collections would not be significant because of the relatively small number of additional cases likely to result. Civil fines are recorded as revenues. Criminal fines are recorded as revenues, deposited in the Crime Victims Fund, and subsequently spent without further appropriation. Estimated impact on state, local, and tribal governments: S. 1490 contains intergovernmental mandates as defined in UMRA. The bill would preempt laws in 45 states regarding the treatment of personal information. It also would place procedural requirements and limitations on state attorneys general and state insurance authorities. The preemptions would impose no costs on states. CBO estimates that the costs to attorneys general and insurance authorities of complying with the procedural requirements would be small and would not exceed the threshold established in UMRA ($69 million in 2009, adjusted annually for inflation). Estimated impact on the private sector: S. 1490 would impose several private-sector mandates as defined in UMRA, including requirements that:
Certain business entities that handle personally identifiable information for 10,000 or more individuals establish and maintain a data privacy and security program; Any business entity engaged in interstate commerce notify individuals if a security breach occurs in which such individuals' sensitive personally identifiable information is compromised; Data brokers provide individuals with their personally identifiable information and to change the information if it is incorrect; and Any entity taking an adverse action against an individual based on information obtained from a database maintained by a data broker notify the individual of that action. The majority of businesses already comply with procedures for data security and breach notification that are similar to many of the bill's requirements. However, some of the requirements in the bill would impose new standards for data maintenance and security on a large number of entities in the private sector. CBO estimates that the aggregate direct cost of all the mandates in the bill would probably exceed the annual threshold established in UMRA for private-sector mandates ($139 million in 2009, adjusted annually for inflation) in at least one of the first five years the mandates are in effect. Data privacy and security requirements Subtitle A of title III would require businesses engaging in interstate commerce that involves collecting, accessing, transmitting, using, storing, or disposing of sensitive, personally identifiable information in electronic or digital form on 10,000 or more individuals to establish and maintain a program for data privacy and security. The program would be designed to protect against both unauthorized access and any anticipated vulnerabilities. Business entities would be required to conduct periodic risk assessments to identify such vulnerabilities and to assess possible security risks in establishing the program. Additionally, entities would have to train their employees in implementing the data security program. The bill would direct the FTC to develop rules that identify privacy and security requirements for the business entities covered under subtitle A. Some entities would be exempt from the requirements of subtitle A. Those include certain financial institutions that are subject to the data security requirements under Gramm-Leach-Bliley Act and entities that are subject to the data security requirements of the Health Insurance Portability and Accountability Act. The cost per entity of the data privacy and security requirements would depend in part on the rules to be established by the FTC, the size of the entity, its current ability to secure, record, and monitor access to data, as well as the amount of sensitive, personally identifiable information maintained by the entity. The majority of states already have laws requiring businesses to utilize data security programs, and it is the current practice of many businesses to use security measures to protect sensitive data. However, some of the new standards for data security in the bill could impose additional costs on a large number of private-sector entities. For example, under the bill, business entities covered under subtitle A would be required to enhance their security standards to include the ability to trace access and transmission of all records containing personally identifiable information (PII). The current industry standard on data security has not reached that level. According to industry experts, information on a particular individual can be collected from several places and, for large companies, can be accessed by thousands of people from several different locations. The ability to trace each transaction of data containing PII would be a significant enhancement of data management hardware and software for the majority of business entities. The aggregate cost of implementing such changes could be substantial. Security breach notification Subtitle B of title III would require businesses engaged in interstate commerce that use, access, transmit, store, dispose of, or collect sensitive personally identifiable information to notify individuals in the event of a security breach if the individuals' information is compromised. Entities would be able to notify individuals using written letters, the telephone, or email under certain circumstances. The bill also would require those entities to notify the owner or licensee of any such information that the entity does not own or license. A notice in major media outlets serving a state or jurisdiction also would have to be provided for any breach of more than 5,000 residents' records within a particular state. In addition, business entities would be required to notify other entities and agencies in the event of a large security breach. Entities that experience the breach of such data would have to notify the affected victims and consumer reporting agencies if the breach involves more than 5,000 individuals. They would have to notify the U.S. Secret Service if the breach involves more than 10,000 individuals. The bill, however, would exempt business entities from the notification requirements under certain circumstances. According to industry sources, millions of individuals' sensitive personally identifiable information is illegally accessed or otherwise breached every year. However, according to those sources, 45 states already have laws requiring notification in the event of a security breach. In addition, it is the standard practice of most business entities to notify individuals if a security breach occurs. Therefore, CBO estimates the notification requirements would not impose significant additional costs on businesses. Requirements for data brokers The bill would impose new disclosure and data collection requirements on data brokers. The bill defines a data broker as a business entity which for monetary fees or dues regularly collects for the practice of collecting, transmitting, or providing access to sensitive, personally identifiable information on more than 5,000 individuals who are not the customers or employees of that business entity or affiliate primarily for the purposes of providing such information to nonaffiliated third parties on an interstate basis. Section 201 would require certain data brokers to disclose to individuals, upon their request, all personal electronic records relating to an individual that are kept primarily for third parties. Additionally, if an individual disputes the accuracy of the information that is contained in the data brokers' records, the data brokers would be required to change the information or provide the individual with contact information for the source from which they obtained the information. Upon investigation, data brokers could determine that some requests to change an individual's information are frivolous. However, the data broker would be required to notify any individual requesting a change of information if such an action is taken. The cost of providing records upon request depends on the costs of gathering and distributing the information to individuals and the number of individuals requesting their information. Under the bill, data brokers would be allowed to charge a reasonable fee for this service. Data brokers would likely be able to cover their costs of providing individuals with their personal information with the fee they could charge. However, the cost to data brokers of having to change individuals' information and notifying the individuals could be large. According to information from industry sources, however, some data brokers already correct information based on requests from individuals. The average cost to large data brokers that currently provide this service is about $8.50 each time a record is disclosed and information is disputed by an individual, according to some industry experts. However, the cost per record may be higher for data brokers who do not currently have systems in place to handle such disputes. Some evidence exists that many individuals' personally identifiable information housed at data brokerage firms is in part incorrect. If a large number of individuals request data changes, CBO estimates that the time and notification costs to data brokers could be high. Because of uncertainty about the number of individuals who would request information under the bill and as a result of those requests, the amount of information that would need to be changed, CBO cannot estimate the cost of this mandate. Adverse actions using information from data brokers Section 201 also would require any entity taking an adverse action with respect to an individual based on information contained in a personal electronic record maintained, updated, owned, or possessed by a data broker to notify the individual of the adverse action. The notification can be written or electronic and must include certain information about the data broker. While the per-individual cost of notification would be small, the cost of complying with the mandate would depend on the number of adverse actions that would be taken against individuals by entities. Because data about the incidence of such actions are unavailable, CBO has no basis to determine the direct cost of complying with this mandate. Estimate prepared by: Federal costs: Federal Agencies-- Matthew Pickford; U.S. Secret Service--Mark Grabowicz; Impact on state, local, and tribal governments: Elizabeth Cove Delisle; Impact on the private sector: Marin Randall. Estimate approved by: Theresa Gullo, Deputy Assistant Director for Budget Analysis. V. Regulatory Impact Evaluation In compliance with Rule XXVI of the Standing Rules of the Senate, the Committee finds that no significant regulatory impact will result from the enactment of S. 1490. VI. Conclusion The Personal Data Privacy and Security Act of 2009, S. 1490, provides greatly needed privacy protections to American consumers and businesses, to ensure that all Americans have the tools necessary to protect themselves from identity theft and other data security risks. This legislation will also ensure that the most effective mechanisms and technologies for dealing with the underlying problem of lax data security are implemented by the Nation's businesses to help prevent data breaches from occurring in the first place. The passage and enactment of this important privacy legislation is long overdue. VII. MINORITY VIEWS FROM SENATORS SESSIONS AND KYL This legislation deals with two issues about which there is bipartisan agreement on the need for congressional action: data security and identity theft. We fully support the goals behind the provisions on this legislation dealing with notice to law enforcement and to consumers in the event of a data breach. Such notice provides law enforcement with valuable information on how to fight data and identity theft crimes which have exploded in recent years, and which are now increasingly committed by sophisticated criminal enterprises with global reach. Timely notice of genuine threats to individuals' identity information also gives consumers the ability to protect themselves. We believe, however, that notice to consumers must occur after an intelligent assessment of the risk a breach poses to consumers. Requiring notice for trivial security breaches will cause consumers to be inundated by inconsequential warnings, and if consumers find themselves overwhelmed by trivial notices, they will be more likely to ignore warnings that matter--when their identity information is genuinely at risk. Such a notice regime would not help consumers, but will affirmatively harm them. While we commend the Chairman's efforts in this area, we unfortunately cannot support S. 1490 because we believe that it will be counterproductive to our shared goal of consumer protection, and because we fear that it strays far afield from the core objective of protecting consumers whose information has been compromised. S. 1490 seeks to impose new regulations not only on ``Data Brokers''--a class of businesses defined so broadly as to ensnare companies not engaged in the data broker business--but also on any entity or person that merely uses information obtained from commercial data sources. The regulations proposed in this bill will confuse consumers and businesses alike, and eventually harm the economy at large. BACKGROUND Identity theft is a major concern for consumers and for businesses, and the threat from increasingly sophisticated criminal enterprises is both serious and growing. Both business and government have spent a great deal of time and effort to understand and combat this crime. Law enforcement at the federal, state and local levels have increased their cooperation, and businesses have adopted more rigorous internal controls to protect their customers' information. During the last Administration, the President's Identity Theft Task Force issued a report in April 2007 after 10 months of study, showing that the business community had spent billions of dollars enhancing data security, building better ways to detect and stop fraud and identity theft before it occurs, and working with victims. State governments have also become very active in this area. Already 45 states and the District of Columbia have enacted laws to combat identity theft and to require businesses who are victimized by a data breach to contact consumers and inform them of the risk to their sensitive personal identity information. There are significant differences across the various state laws, however, and so a Federal response--to provide consistency and predictability which will promote interstate commerce--is clearly necessary. Our first priority must be to ensure that consumers have the tools to protect themselves in the event of a data breach. Americans need to be notified when information pertaining to them is compromised in a way that may jeopardize their identities. For such notices to be effective, however, they must be issued only when there are reasonable grounds to do so. We know from the experience of the Gramm-Leach-Bliley Act (GLBA) that over-notification leads to consumer apathy, with the result that consumers are exposed to greater risks. SPECIFIC CONCERNS WITH S. 1490, THE PERSONAL DATA PRIVACY AND SECURITY ACT Though we support many of the stated goals of this legislation, we have several specific concerns with S. 1490 as reported by the Committee. 1. The Notice provisions will likely result in over-notification to consumers of data breaches The bill sets a default rule that consumers must be notified of any breach ``following the discovery'' of a breach. It then provides a ``safe harbor'' that excuses companies from that obligation if the company conducts a risk assessment and concludes that the breach does not bear a reasonable risk of ``harm'' to the consumer. The term ``harm'' is potentially very broad, and the bill does not define it. Although supporters of the bill have been repeatedly asked what ``harm'' would cover, they have never provided a clear answer. In the face of such ambiguity, and in the face of the severe consequences for failure to issue notices when required, businesses are likely to minimize their legal risk by simply notifying consumers even of minor non-threatening breaches. Such defensive behavior, however rational from the perspective of the business victimized by a data breach, will almost certainly dull consumers' sensitivity to breach notices and leave them at greater risk than they face in the absence of federal legislation. 2. The scope of protected information is over-broad, and will contribute to over-notification The bill also defines the protected class of information-- ``sensitive personally identifiable information''--to include widely available information that is not sufficient to pose a risk of identity theft. But the bill's notice and ``safe harbor'' provisions would be triggered even where the data breach only revealed such relatively innocuous information. 3. The definition of Security Breach is over-broad The bill defines a breach as including unauthorized ``access'' or ``acquisition'' of sensitive personally identifiable information. While ``access'' to such information is a common term used in the criminal code, its use alongside ``acquisition'' implies that ``access'' refers only to instances where the personal data is not ``acquired''--i.e. where the data is not in some way recorded, collected, or taken for future, potentially harmful, use. Thus, the current definition of a ``breach'' would appear to cover instances where information is viewed in passing, or possibly where a person obtains unauthorized access to a computer system that contains personal information, even if the invader never views or downloads the information. Such activity, however, does not threaten individuals whose data was ``accessed'' with any harm. The problems posed by this definition may be reduced in part by the new proviso added to the definition of a ``security breach'' in committee, which limits the definition of a breach to incidents ``which present a significant risk of harm or fraud to any individual.'' That language, however, leads to different problems. One of the most valuable aspects of S. 1490 is the requirement for companies who suffer data breaches to report those incidents to law enforcement. That reporting requirement will assist our law enforcement agencies to better analyze and defend against the methods of increasingly sophisticated and global criminal enterprises that commonly engage in data theft. In order to avoid desensitizing the public through over- notification of such breaches, however, any legislation in this area should include a clear risk-based standard for requiring companies to take the additional step of notifying individual consumers who might have been affected by the breach. Inserting the ``significant risk of harm or fraud'' test in the definition of a ``security breach,'' however, places the threshold too early in the process. This language also places the determination of whether there is a ``substantial risk,'' and thus, the applicability of the entire breach notice regime, largely within the discretion of the business that experienced the data breach. While S. 1490 imposes severe penalties on companies who refuse to provide appropriate notice to consumers, the inclusion of a ``significant risk'' test in the definition of a ``breach'' dramatically increases the risk that a company might incorrectly conclude that the attack it suffered did not meet the statutory definition of a ``security breach'' and thus fail to notify or seek the views of law enforcement. 4. The legislation should specifically and completely exempt entities regulated by other federal laws from the provisions of this Act Consumer reporting agencies (CRAs) are already fully regulated under requirements under the Fair Credit Reporting Act (FCRA), and financial institutions are regulated under the Gramm-Leach-Bliley Act. Companies that are already regulated under the FCRA and Gramm-Leach-Bliley (GLB) should be specifically exempt from this Act, and from the definition of ``data broker'' because they are already subject to rigorous data safeguard requirements under these statutes. The Fair Credit Reporting Act (15 U.S.C. Sec. 1681 et seq.) is a time-tested statute that has received frequent and thoughtful review by Congress, and was most recently updated in 2003, with extensive changes implemented by the FACT Act (Pub. L. 108-159).\1\ --------------------------------------------------------------------------- \1\That Act contained a number of significant provisions designed to protect consumers and combat identity theft, and I again complement Senator Shelby for his work on that legislation as the then--Chairman of the Senate Banking Committee. --------------------------------------------------------------------------- The requirements laid out in this legislation would create a host of conflicting, inconsistent, unworkable and potentially negative impacts on FCRA-regulated entities, and could have significant negative effects on consumers. Further, assuming that it was the Committee's intent to exempt FCRA and GLB covered entities from the scope of some provisions of this Act, the exemption crafted by the Committee is incomplete, and would in many cases subject FCRA regulated entities to duplicative and conflicting standards. Rather than having the Judiciary Committee attempt to craft those exemptions, we should defer to the Banking Committee, which has the expertise to determine that the exemptions are as complete as intended. 5. Other issues In addition to these flaws, S. 1490 also contains unnecessary provisions that might be politically attractive to their advocates but which do not ultimately serve the interests of the consumers we are pledged to protect. The data broker regulations in Title II of S. 1490 are the best example of the ``bloat'' that afflicts this bill. Notwithstanding the exemptions incorporated into this title, the bill's definition of ``data broker'' is far too broad and runs the risk of covering a range of entities--including on- line payment or banking service providers--that are not engaged in a business that fits the common understanding of what constitutes a ``data broker.'' Title II also attempts to treat data broker services as analogous to credit reporting services, while overlooking the fact that the uses of these databases--e.g., for authenticating identity and fraud prevention, as well as for things such as locating deadbeat parents--is very different from the predominant use of credit report data as a financial transactions tool. For example, Title II contains a vague and potentially wide-ranging notice obligation by any person or entity who takes ``adverse action'' against an individual based in whole or in part on information obtained from a data broker. Yet ``adverse action'' is never defined, and the potential reach of this obligation is enormous. In addition, Title II creates a reach-through right for any consumer to contest information held by a data broker by being referred to the source of the information, including any commercial business with which the individual has a transaction history. Such a requirement would impose enormous costs on the U.S. economy, in exchange for little protection gained for the individual consumer. Title IV of S. 1490 is also problematic, since it would require federal agencies that use data broker services to publish privacy impact notices in the Federal Register. Not only does this take an obligation that attaches to records in government's own control and attach it to privately held data which the government reviews under contract, but the privacy impact analysis language in the bill contains no exception for law enforcement or counterterrorism uses of the data broker's services. According to a 2005 GAO audit, 91% of government use of data broker services was for these two types of activities, and publication of details about the government's data use (e.g. for security investigations or other sensitive activities) could hamper these critical functions. CONCLUSION For these reasons, we dissent from the views and policy represented by S.1490, and we would urge our colleagues to revisit many of the policy and drafting problems created by this bill. Jeff Sessions. Jon Kyl. VIII. Changes to Existing Law Made by the Bill, as Reported In compliance with paragraph 12 of Rule XXVI of the Standing Rules of the Senate, the Committee finds that it is necessary to dispense with the requirement of paragraph 12 to expedite the business of the Senate.