Senator Arlen Specter (Republican - Pennsylvania) and Senator Patrick Leahy (Democrat - Vermont) have jointly introduced an identity theft / privacy bill. (S. 1332).
The bill, titled the “Personal Data Privacy and Security Act of 2005,” is described as designed “to prevent and mitigate identity theft; to ensure privacy; and to enhance criminal penalties, law enforcement assistance, and other protections against security breaches, fraudulent access, and misuse of personally identifiable information.
The bill is 91 pages long, and contains a number of provisions.
Among the provisions:
• Intentionally concealing a security breach could result in 5 years in prison.
• Data Brokers must disclose to individuals all records pertaining to that individual.
• Data brokers must correct inaccuracies.
• Data brokers who intentionally violate the law could face fines of $15,000 per day.
• Any business collecting, using, storing or accessing personal information on more than 10,000 people must implement a comprehensive personal data privacy and security program, that administrative, technical and physical safeguards appropriate to its size and complexity.
• The safeguards would have to ensure the privacy, security, and confidentiality of personal electronic records, protect against any anticipated vulnerabilities, and protect against unauthorized access.
• Businesses would have conduct risk assessment and risk management, employee training and vulnerability training.
• Businesses would have to exercise due diligence when working with third parties not subject to the Specter – Leahy law.
• Businesses would have keep up with changes in technology, internal and external threats, its changing business, and make adjustments accordingly.
• Violations of the above could result in fines of $35,000 per day.
• Businesses storing, collecting, using or accessing personal information would have to notify individuals in the event of a security breach involving sensitive personal information, as well as each consumer reporting agency and the federal agencies.
• Businesses would also have to provide to individuals 1 year of monthly access to their credit report and 1 year of credit-monitoring services.
• Failure to follow the above could result in fines of $55,000 per day.
The bill also contains limits of the use of Social Security Numbers and government access to commercial databases.