Senator Leahy Introduces His Personal Data Privacy and Security Act—Again!

Last month, we discussed Senator Patrick Leahy’s (D-Vt.) introduction of the Electronic Communications Privacy Act Amendments of 2011 related to disclosures of certain location-based tracking information. 

Yesterday, and on the heels of President Obama’s proposed data breach notification legislation, Senator Leahy  introduced the Personal Data Privacy and Security Act [pdf].  This legislation has been previously introduced three times and is intended to replace the 46-plus individual laws in the U.S. that are in effect or coming into effect related to data breach notification requirements.  Senator Leahy cited the recent large and public breaches as “clear evidence” of a need to develop a “comprehensive national strategy to protect data privacy and security.” 

The legislation would apply to both private organizations and government agencies.  Some key provisions include:

•  Preemption of most state data breach notification requirements
•  Federal Trade Commission (FTC) and attorney general enforcement and penalties
•  Notification by mail, telephone or e-mail
•  Media notification when 5,000 or more individuals are involved
•  Notification to the Secret Service within 14 days in certain circumstances
•  Requirements when dealing with third-party contractors that handle sensitive information

The bill is cosponsored by Senators Chuck Schumer (D-N.Y.) and Ben Cardin (D-Md.).