Now Available:

line

Featured Resources:

line

Realtime Communities

line

Newsletter

Email Address:


line

Monthly Archives

line

RSS

line

Ask the Expert

Have a question for our resident expert? Email your questions to Rebecca.

« Privacy Breach: Bank in UK Sends Personal Data of 75,000 Customers to 1 Customer Requesting Her Own Statement | Main | FTC: Speech Highlights Need for All Organizations To Address Information Security and Privacy & Education On These Topics »

Privacy Law: Leahy & Specter File Personal Data Privacy Act of 2007 Bill

On Tuesday, February 6, U.S. Sen. Patrick Leahy, D-Vt., and Sen. Arlen Specter, R-Pa., filed legislation,the Personal Data Privacy Act of 2007, that would, among other things, require organizations to notify consumers of security breaches as well as mandate the adoption of internal policies to protect personal data. This bill is generally the same as the bill Leahy proposed in 2005 and then again in 2006.

At a high level the Personal Data Privacy Act of 2007 would:
* make it a crime to intentionally or willfully hide a security breach;
* provide consumer access and correction rights to information held by commercial data brokers;
* require companies to notify authorities of breaches;
* require government agencies to adopt privacy protection rules when agencies use information from commercial data brokers; and
* require audits of government contracts with commercial data brokers.

Leahy provides the following in his statement introducing the bill:

"Summary Of The Leahy–Specter Personal Data Privacy And Security Act Of 2007

Provides new measures to protect the privacy and security of personal data. Provides Americans with notice when they have been harmed, and also addresses the underlying problem of lax security and lack of accountability in dealing with personal data.

Adds unauthorized access to sensitive personally identifiable information to the criminal prohibition against computer fraud under 18 U.S.C. § 1030(a) (2).

Requires data brokers to let individuals know what information they have about them, and where appropriate, allow individuals to correct demonstrated inaccuracies. There are exemptions for products and services already subject to access and correction rules under the Fair Credit Reporting Act, as well as companies subject to Gramm-Leach-Bliley and the Health Information Portability and Accountability Act. In addition, there are also exemptions for proprietary, fraud prevention tools and marketing data.

Requires companies that have databases with personal information on more than 10,000 Americans to establish and implement data privacy and security programs, and vet third-party contractors hired to process data. There are exemptions for companies already subject to data security requirements under Gramm-Leach-Bliley and the Health Information Portability and Accountability Act.

Requires notice to law enforcement, consumers and credit reporting agencies when digitized sensitive personal information has been compromised. The trigger for notice is tied to significant risk of harm with appropriate checks-and-balances to prevent over-notification as well as underreporting. There are exemptions for national security and law enforcement needs, credit card companies using fraud-prevention techniques or where a breach does not result in a
significant risk of harm.

Addresses the government’s use of personal data by: (1) requiring the General Services Administration to evaluate the privacy and security practices of potential government contractors handling personal data, and include penalties in government contracts for failure to protect data privacy and security; (2) requiring Federal departments and agencies to audit the information security practices of commercial data brokers hired for projects involving personal data and include protections and penalties in contracts with data brokers to protect data privacy and security; and (3) requiring Federal departments and agencies to conduct privacy impact assessments on their use of commercial databases to access personal data on U.S. persons, and to adopt regulations to ensure the security and privacy of data obtained through commercial data brokers.

Provides tough monetary penalties for failing to provide privacy and security protections and notices of security breaches, and toughens criminal penalties for those who infiltrate systems to compromise personal data. Also imposes a criminal penalty in the cases were there is intentional and willful concealment of a security breach known to require notice."

I'm glad to see this covers all types of organizations, including government agencies. It is too bad they have the 10,000 individuals minimum to have a security program in place; I'm sure some organizations will find creative ways to exploit this so that they will not have to establish security programs. Organizations of all sizes that handle personally identifiable information (PII) should have information security in place to safeguard privacy.

It will be interesting to see the actual text of the bill; it has not yet been posted.

Recall that Vermont has had three privacy breaches recently. Just last week in Vermont there was a serious data breach of a computer system used by the Vermont Agency of Human Services. The breach jeopardized the financial data of at least 69,000 Vermonters whose personal financial information was stored on the server.

Along with these, breaches at the federal government level continue, as with yet another one within the Department of Veterans Affairs office that reported Monday, 2/5, that they had lost a portable hard drive containing the sensitive personal information on as many as 48,000 veterans.

After three years of almost daily reports of privacy breaches, the momentum exists to get this bill passed this time around.

Tags:                    
 Email This!  Digg it!  Sphere it!  Del.icio.us  Reddit!  Newsvine

Posted by Rebecca Herold on February 8, 2007 12:30 AM |

TrackBack

TrackBack URL for this entry:
http://www.realtime-itcompliance.com/type/mt-tb.cgi/310

Post a comment

(All comments are approved by site leader before appearing here. Thanks for commenting!)

Search

line

Most Active Posts

line

Library Resources

line
line

Recent Posts

line

Categories

line

Rebecca Herold's Bio:

Rebecca Herold,CISSP, CIPP, CISM, CISA, FLMI, has been providing information security, privacy and regulatory assistance and services to organizations from a wide range of industries for over 18 years. Rebecca was instrumental in building the information security and privacy program while at Principal Financial Group, which was awarded the CSI Information Security Program of the Year Award in 1998. IT Security ranked Rebecca as one of the top 59 IT security influencers, and Computerworld put Rebecca their list of the 25 top privacy experts and on their list of the 9 best privacy consulting firms. Rebecca has been CPO for two consulting organizations, and has had her own information privacy, security and compliance business since 2004. Rebecca has written chapters for several books, dozens of articles, and has been writing a monthly privacy column for the CSI Alert newsletter since the beginning of 2001, and is working on her 11th book. Some of her other books include The Privacy Papers, Managing an Information Security and Privacy Awareness and Training Program, The Definitive Guide to Security Inside the Perimeter (Realtime Publishers), The Shortcut Guide to Improving IT Service Support through ITIL (Realtime Publishers), and The Practical Guide to HIPAA Privacy and Security Compliance. In addition, Rebecca is the leader of The Realtime IT Compliance Community where she posts to her IT Compliance weblog. You can contact Rebecca at: rebecca_herold@realtimepublishers.net.