Reporting from Washington, D.C., Hunton & Williams partner Frederick Eames writes:
Elections have consequences. What are the consequences of the 2012 election on U.S. federal privacy, data security and breach notice legislation? We outline some key developments in the U.S. House of Representatives and Senate and explain how these developments might affect legislative priorities and prospects for the 113th Congress beginning in 2013.
Tags: Behavioral Advertising, Cliff Stearns, Congress, Consumer Protection, Department of Commerce, Dodd-Frank Act, Federal Trade Commission, Jay Rockefeller, John Kerry, Legislation, Obama, Online Privacy, Patrick Leahy, Security Breach, Senate, U.S. Federal Law
On September 22, 2011, the Senate Judiciary Committee approved three separate bills that would establish a national data breach notification standard. Because the bills were approved on a party-line vote, and several other data breach bills currently are under consideration by other Senate committees, the prospects for these three bills in the full Senate are uncertain.
On June 7, 2011, Senator Patrick Leahy (D-VT) introduced the “Personal Data Privacy and Security Act of 2011” (the “Act”), co-sponsored by Senators Charles Schumer (D-NY) and Ben Cardin (D-MD). This marks the fourth time Senator Leahy has introduced ambitious privacy legislation; in 2005, 2007 and 2009, similar bills failed to advance in the Senate. In his press release, Senator Leahy stated that “many recent and troubling data breaches in the private sector and in our government are clear evidence that developing a comprehensive national strategy to protect data privacy and security is one of the most challenging and important issues facing our country.”
On February 14, 2011, Senator Patrick Leahy (D-VT), Chairman of the Senate Judiciary Committee, announced the creation of a subcommittee on Privacy, Technology and the Law. The subcommittee will be chaired by Senator Al Franken (D-MN), and its jurisdiction will include oversight of laws and policies that govern the commercial collection, use and dissemination of personal information. Senator Franken said, “The boom of new technologies…has also put an unprecedented amount of personal information into the hands of large companies that are unknown and unaccountable to the American public.” Senator Tom Coburn (R-OK) will be the ranking minority member of the subcommittee. The subcommittee will increase focus on privacy issues, but may encounter jurisdictional conflicts with both the financial services and commerce committees when writing legislation.
As reported in BNA’s Privacy Law Watch on July 29, 2010, three bills were introduced by House Republicans to repeal Section 929I of the Dodd-Frank Wall Street Reform and Consumer Protection Act (the “Dodd-Frank Act”). Section 929I of the Dodd-Frank Act has been a source of controversy because it gives the SEC significant latitude to sidestep FOIA requests by providing that the SEC "shall not be compelled to disclose" certain information it obtains pursuant to the ’34 Act when conducting surveillance, risk assessments or other regulatory and oversight activities.
According to BNA’s Privacy Law Watch, on March 8, 2010, Senator Patrick Leahy asked President Obama to nominate members for the dormant Privacy and Civil Liberties Oversight Board. The Board, which was created in 2004 upon the recommendation of the 9/11 Commission, focuses on ensuring that privacy and civil liberties concerns are incorporated into anti-terrorism laws and regulations. Although President Obama had pledged in May 2009 to reconstitute the board, which has had no members since January 2008, privacy advocates say that his focus on cybersecurity issues has delayed the nomination process.
July saw a flurry of activity involving data security breach notification laws.
- On July 1, breach notification laws in Alaska and South Carolina went into effect.
- On July 9, Missouri became the 45th state to enact a data breach notification law.
- On July 22, Senator Patrick Leahy reintroduced a comprehensive federal data security bill calling it one of his “highest legislative priorities.”
- On July 27, North Carolina amended its breach notification law to require notification of the state attorney general any time consumers are notified of a breach involving their personal information. The amendment also included content requirements for the attorney general’s notice.