title:

The Leahy privacy bill: coddling the criminals?

By Scott Bradner

After the data breach about a year ago that exposed the personal information of some congressmen I was sure that there would soon be a federal bill enhancing privacy protections. (See Privacy: A personal touch - http://www.networkworld.com/columnists/2005/030705bradner.html) But that was not to be. I guess the big companies that make a profit by violating your and my personal space have enough clout on Capital Hill to even get a Congressman whose one data was exposed to back off. When the election changed the power picture in Washington, I had a little burst of hope that something meaningful would happen in this space but I'm mostly disappointed in what the change has actually brought.

In early February Senators Patrick Leahy (D-Vt.), Chairman of the Senate Judiciary Committee, and Bernie Sanders (I-Vt.) introduced the "Personal Data Privacy And Security Act Of 2007." (http://leahy.senate.gov/press/200702/Data Privacy and Security Act of 2007 GRA07024_xml.pdf) From the press release (http://leahy.senate.gov/press/200702/020607.html) and a quick read this proposed legislation looks quite good. Even in a more detailed reading the bill has some good stuff in it but in the end the bill does more to protect the people that are sloppy with your data than have any real teeth to prevent the sloppiness in the first place.

The bill concerns itself with the protection of "sensitive personally identifiable information." This includes your name along with SSN or passport number or drivers license number, your home address & mother's maiden name or your date of birth, a biometric ID (e.g., fingerprint), bank account number and PIN, or credit card & security code. (Note that the new RFID passports may meet this definition since they include your name & picture.) As you might expect , the bill would override any state or local laws that address the same issues.

Under the bill anyone who has this information about you must endeavor to protect it "equal to industry standards" and must notify you if it is improperly accessed. Failure to notify, even where there is just one person's information exposed, can generate a fine of $1,000 per day, up to $250K and up to 5 years in jail. These can be doubled if the failure is intentional and willful.

Under the bill you can ask to see your record (not including any list of purchases they might have for you) that is held by a data broker and ask for it to be corrected if you see anything wrong. The broker can tell you to go away if the broker wants to claim you are being "frivolous."

The bill would require that anybody or company that has personal information about more than 10,000 "US persons" to create a protection program much like the Gramm-Leach Bliley Act requires (a risk assessment, employee training etc). Fines of $5K/day can be imposed for failure to have the protections or have such a program - also doubled if intentional or willful.

Charges for violations under this bill can be brought by State Attorney Generals or by the Federal Trade Commission (FTC). The bill removes any right for the party hurt by the exposure, i.e. you, to bring private action.

Taking all enforcement out of the hands of the citizens basically removes any incentive for a company to do the right thing - in almost all cases the FTC does not fine anyone they just make them promise not to be bad in the future. The FTC does not even make them admit they were bad this time. Few state Attorney Generals seem to be interested in this soft of thing -- Elliot Spitzer, ex- NY AG, was an exception. So by blocking the ability for private action this bill tells businesses that they will get a free pass if they mess up. It is hardly a pro-privacy clarion call -- it's all very disappointing (but, sadly, not all that surprising -- considering we are talking about Washington).

disclaimer: Harvard trains lawyers that can help correct Washington's lapses, but only if they are permitted to - but the above is my opinion not the Law School's or Harvard's.