“The world is digital and so is our personal data. In this day and age, almost everything we do results in a third party creating a digital record about us – digital records that we may not even realize exist.” – Senator Russ Feingold.
Congress wants to protect your sensitive personally identifiable information, but this time they meant it. No, seriously, they really do, and they’re willing to throw you in jail to prove their point. Personally identifiable information is a valuable commodity that is bought, sold and of course, stolen. In 2006, over 9,300,000 Americans were victims of identity theft. According to the Better Business Bureau, each victim lost approximately $6,300 and spent over 40 hours on the phone with creditors and credit bureaus to clear their names. Businesses collectively lose $50 billion a year from identity thieves.
In 2005, Senator Patrick Leahy (D-VT) and Senator Arlen Specter (R-PA) introduced a bill, which attempted to protect an individuals’ private information. However, influential critics of this bill viewed it as “unfriendly” to business and the bill was never brought up for vote. In 2007, the political winds shifted and the legislative gavel changed hands. Senators Leahy and Specter reintroduced their bill, joining forces with Senator Dianne Feinstein (D-CA) and Senator Russ Feingold (D-WI). Now, it looks like the 110th Congress will pass the Leahy-Specter Personal Data Privacy and Security Act of 2007 (the “Privacy and Security Act” or “the Act”). Congress recently received the blessing of Microsoft and other private ndustry leaders, therefore it is highly anticipated that Federal Government will pass the Privacy and Security Act within the next couple of months.
This Privacy and Security Act associates identity theft to organized crime and imposes new criminal penalties for intentionally concealing a data security breach. The Act is also unique because it regulates data brokers, all businesses that collect personal information, and… the Federal Government, itself.
This report is divided into three parts. Part I will briefly discuss the new criminal penalties imposed for intentionally violating the new legal reporting requirements for data brokers. Part II focuses on the Act’s “Safeguards Rule” and the legal duty imposed upon all businesses that handle sensitive personally identifiable information to create a Data Privacy and Security Program. Finally, Part III briefly discusses that certain government agencies are required to designate a Chief Privacy Officer and ensure that data brokers which are under government contract have a sufficient data and security program in place.
Title I – Enhancing Punishment for Identity Theft.
The Privacy and Security Act significantly enhances the punishment for identity theft by associating such activity with organized crime. Specifically, the Privacy and Security Act adds subsection 18 U.S.C. § 1030(a)(2)(D) relating to fraud and related activity in connection with unauthorized access to sensitive personally identifiable information. Furthermore, the Act makes it a criminal offense to conceal a security breach, even if such concealment only harms 1 individual. That’s, right. The Privacy and Security Act could land a Chief Privacy Officer in the Federal Penitentiary for up to 5 years, if he or she “knowingly” fails to provide notice of a breach to individuals, if required under Title III of the Act, and he or she attempts to “intentionally and willfully” conceal such breach. To make matters more exciting, the Act puts the United States Secret Service in charge of investigating all alleged offenses. The Act does require that the offender knowingly, intentionally and willfully violate the Act. However, the Privacy and Security Act does make it clear that senior management, corporate officers or their employees will be held criminally responsible for knowing and complying with the law. Remember, ignorance of the law is not an excuse.
Title II - Data Brokers.
The Act is unique because Congress publicly acknowledges that data about individuals is bought and sold and that such data is not merely limited the information found in a credit report. The Act applies to data brokers engaging in interstate commerce. Congress defines a “data broker” as “a business entity which for monetary fees or dues regularly engages in the practice of collecting, transmitting, or providing access to sensitive personally identifiable information on more than 5,000 individuals who are not customers or employees of that business entity or affiliate primarily for the purpose of providing such information to nonaffiliated third parties on an interstate basis.”
Legal Duties. The Privacy and Security Act requires data brokers to disclose to individuals, for a reasonable fee of course, all personal electronic records pertaining to that individual that the data brokers collect and sell to third-parties. The disclosures must also include instructions on the procedures to correct any inaccurate information. If the individual disputes the accuracy or completeness of the information, the data broker shall determine within 30 days, whether the information accurately reflects information found in the public record. If the disputed information did not come from the public record, then the data broker shall investigate and determine whether the personally identifiable information is accurate and complete, free of charge this time. If the data broker determines that the disputed information is in fact inaccurate, then the data broker must correct the information accordingly. If an individual requests, the data broker must also provide the name of the entity providing the disputed information and how to contact the entity. However, if the data broker reasonably determines that the individual’s initial dispute is “frivolous” or “intended to perpetuate fraud”, the data broker may decline to investigate and terminate its review as long as it notifies the individual in writing.
Enforcement. The Federal Trade Commission (“FTC”) is charged with enforcing the Privacy and Security Act. If a data broker violates Title II, it may be enjoined and fined civil penalties up to $1,000 per violation per day, for a maximum of $250,000. If a state law is broken, States are still permitted to bring a civil action in Federal Court. However, the State attorney general must first provide written notice to the FTC, if feasible. Otherwise, the State must provide the FTC with a copy of the complaint as soon as practicable. If the FTC already proceeded against the data broker under the Act, the State attorney general may not bring its own claims against the violator. Hence, Federal authority trumps all State actions. Finally, individuals are not allowed to bring private causes of action against a data broker for violating the Act.