Breach, Data Security

Target breach spurs Vermont senator to reintroduce data privacy bill

A Vermont senator has once again brought a bill to Congress that, if passed, would establish a national standard for data breach notification, as well as update the Computer Fraud and Abuse Act to toughen up penalties for computer hacking crimes.

Spurred by the late 2013 breach of Target that involved the theft of 40M cards, CVV numbers and encrypted PIN codes, the Wednesday announcement marked the fourth time Vermont senator and Senate Judiciary Committee Chairman Patrick Leahy has introduced the Personal Data Privacy and Security Act.

Leahy – who authored the bill and sponsored it along with Senators Al Franken, Chuck Schumer and Richard Blumenthal – was unavailable to respond to a request for comment, but David Carle, a spokesman for Leahy, told that the issue of data privacy would be discussed at an upcoming Senate Judiciary Committee hearing.

“When I first introduced this bill nine years ago, I had high hopes of bringing urgently needed data privacy reforms to the American people,” Leahy said in a statement. “Although the Judiciary Committee favorably reported this bill numerous times this legislation has languished on the Senate calendar.”

Leahy has made the Personal Data Privacy and Security Act available on his website, as well as a section-by-section review.

Most notably, the bill seeks to create a national data breach notification standard that would mandate breached entities give notice to impacted individuals no more than 60 days after the discovery of a breach, barring certain exemptions such as a law enforcement request.

A national data breach notification standard has been talked about for years, but has not gained momentum due to fluctuating standards. Currently, U.S. data breach notification laws are on a state-by-state basis and Alabama, Kentucky, New Mexico and South Dakota have yet to pass any legislation.

Other provisions in the Personal Data Privacy and Security Act include tougher penalties for entities that intentionally conceal data breaches, while an update to the Computer Fraud and Abuse Act would make penalties associated with computer hacking and conspiracy to commit computer hacking punishable under the same underlying offenses.

“This is a comprehensive bill that not only addresses the need to provide Americans with notice when they have been victims of a data breach, but also deals with the underlying problem of lax security and lack of accountability to help prevent data breaches from occurring in the first place,” Leahy said.

Leahy last introduced the bill in 2009.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.