Statement of Senator Patrick Leahy On The Introduction Of The Specter-Leahy Personal Data Privacy and Security Act of 2005 June 29, 2005 Mr. LEAHY. Mr. President, today we introduce the Specter-Leahy Personal Data Privacy and Security Act of 2005. Reforms are urgently needed to protect Americans’ privacy and to secure their personal data. There have been steady waves of security breaches over the past six months, with the latest involving a database containing 40 million credit card numbers at a company that most Americans never knew existed. These security breaches are a window on a broader, more challenging trend. Advanced technologies have improved our lives and can help make us safer. Private data about Americans has become a hot commodity. This personal and financial information about each of us suddenly is a treasure trove, valuable and vulnerable, but our privacy and security laws have not kept pace. The reality is that in the digital era, a robust market has developed for collecting and selling personal information. Today, all types of corporate and governmental entities routinely traffic in billions of digitized personal records about Americans. The data broker market has exploded in size to meet this demand. Insecure databases are now low-hanging fruit for hackers looking to steal identities and commit fraud. We are seeing a rise in organized rings that target personal data to sell in online, virtual bazaars. In this information-saturated age, the use of personal data has significant consequences for every American. People have lost jobs, mortgages and control over their credit and identities because personal information has been mishandled or listed incorrectly. This trend raises new threats to our personal security as well as to our privacy. In one disturbing case, a stalker purchased the Social Security number of a woman with whom he was obsessed, used that information to track her down. He killed her, and then shot himself. Americans everywhere are wondering, “Why do all these companies have my personal information? What are they doing with it? Why aren’t they protecting it better?” And they are right to wonder. It is time for Congress to catch up with the data market and to show the American people that we are aware of these threats and will protect the privacy and security of their personal information. Chairman Specter and I have worked closely together over many months to craft comprehensive legislation to fix key vulnerabilities in our information economy. We thought through these issues carefully and took the time needed to develop well-balanced, focused legislation that provides strong protections where necessary. We also provide tough penalties and consequences for failing to protect Americans’ most personal information. Reforms like these are long overdue. This issue and our legislation deserve to become a key part of this year’s domestic agenda so that we can achieve some positive changes in areas that affect the everyday lives of Americans. First, our bill requires data brokers to let people know what information they have about them, and to allow people to correct inaccurate information. These principles have precedent from the credit report context, and we have adapted them in a way that makes sense for the data brokering industry. It’s a simple matter of fairness. Second, we would require companies that have databases with personal information on Americans to establish and implement data privacy and security programs. Any company that wants to be trusted by the public in this day and age must vigilantly protect databases housing Americans’ private data. They also have a responsibility in the next link in the security chain, to make sure that contractors hired to process data are on the up-and-up and secure. This is critical as Americans’ personal information is increasingly processed overseas. Third, our bill requires notice when sensitive personal information has been compromised. The American people have a right to know when they are at risk because of corporate failures to protect their data, or when a criminal has infiltrated data systems. The notice rules in our bill were crafted carefully to ensure that the trigger for notice is tied to risk and to recognize important fraud prevention techniques that already exist. But our priority was making sure that victims have that critical information as a roadmap providing the assistance necessary to protect themselves, their families and their financial well-being. Fourth, our bill provides tough new protections for Social Security numbers, which are the keys to unlocking so much of our financial and personal lives. The use of Social Security numbers has expanded well beyond the intended purposes. Some uses provide important benefits, but others have made Americans vulnerable. Social Security numbers are for sale online for small fees. Earlier this year, it was reported that a payroll and benefits company put the Social Security numbers of 1,000 workers on postcards – on postcards  brazenly visible for anyone to see. Worse still, those postcards described in detail how those Social Security numbers could be used to access employee benefits online. This is unacceptable, and this bill would make that kind of disregard and sloppiness illegal. Finally, our bill addresses the government’s use of personal data. We are living in a world where the government is increasingly looking to the private sector to get personal data that it could not legally collect on its own. So ingrained has the data broker-government partnership become that a ChoicePoint executive stated, “We do act as an intelligence agency, gathering data, applying analytics.” While these relationships can help protect us, there must be oversight and appropriate protections. The recent decision to award Choicepoint an IRS contract highlights this tension. It is especially galling right now to be rewarding firms that have been so careless with the public’s confidential information. The dust has not yet settled and the investigations are incomplete on ChoicePoint’s lax security practices. We should at least take a pause before rewarding such missteps with even more government contracts. This bill would place privacy and security front and center in evaluating whether data brokers can be trusted with government contracts that involve sensitive information about the American people. It would require contract reviews that include these considerations, audits to ensure good practice, and contract penalties for failure to protect data privacy and security. The Specter-Leahy legislation meets other key goals. It provides tough monetary and criminal penalties for compromising personal data or failing to provide necessary protections. This creates an incentive for companies to protect personal information, especially when there is no commercial relationship between individuals and companies using their data. Our legislation also carefully balances the need for federal uniformity and state leadership. States are often on the forefront of protecting privacy and spurring change. The California security breach law has been an important lesson. My state of Vermont was among the first – if not the first – to require individual consent before sharing financial information with third parties, and to require a person or business to obtain consent from individuals before reviewing their credit reports. The role of states is important, and our bill identifies areas that require uniformity while leaving the states free to act elsewhere as they see fit. We also would authorize an additional $100 million over 4 years to help state law enforcement fight misuse of personal information. This is a solid bill  a comprehensive bill  that not only deals with providing Americans notice when they have already been hurt, but also deals with the underlying problem of lax security and lack of accountability in dealing with their most personal and private information. I commend Senator Specter for his leadership on this emerging problem. A number of us have been working on these issues -- Senator Feinstein, Senator Nelson, Senator Cantwell and Senator Schumer, among others. I appreciate and recognize their hard work and look forward to making progress together. I am pleased to work closely with Senator Specter on this and believe that we have a bill that significantly advances the ball in protecting Americans. # # # # #