WASHINGTON (Thursday, April 30, 2015) – American consumers are now facing constant threats of their personal information being hacked. At the same time that cyber attacks and data breaches are increasing in number and scope, so too is the amount of information consumers share with the corporations who are the target of these breaches.  In order to protect consumers and prompt corporations to do more to protect their customers, Senate Judiciary Committee Ranking Member Patrick Leahy (D-Vt.) and five Democratic Senators introduced the Consumer Privacy Protection Act on Thursday.

The Consumer Privacy Protection Act calls for a comprehensive approach to data security by requiring companies to take preventative steps to defend against cyber attacks and prevent data breaches, and to quickly notify customers in the event a data breach occurs.  The measure addresses the kinds of security breaches that have affected retail stores in recent years, as well as breaches of personal email, online accounts, and cloud computing that have sent Americans’ personal information, photos and even location out into public view.

“Today, data security is not just about protecting our identities and our bank accounts; it is about protecting our privacy.  Americans want to know not just that their bank account and credit cards are safe and secure, they want to know that their emails and their private pictures are protected as well,” Senator Leahy said.  “Companies who benefit financially from our personal information should be obligated to take steps to keep it safe, and to notify us when those protections have failed.  The Consumer Privacy Protection Act would provide these needed reforms, and all lawmakers who support consumers should support this bill.”

The bill is cosponsored by Democratic Senators Al Franken (Minn.), Elizabeth Warren (Mass.), Richard Blumenthal (Conn.), Ron Wyden (Ore.), and Edward J. Markey (Mass.). An outline of the Consumer Privacy Protection Act of 2015 can be found here, and text of legislation can be found online

Key provisions in the bill include:

  • Requires companies who store sensitive personal or financial information on 10,000 customers or more to meet consumer privacy and data security standards to keep this information safe, and notify the customer within 30 days of a breach.  
  • Establishes a broad definition of information that must be protected, including social security numbers; financial account information; online usernames and passwords; unique biometric data, including fingerprints; information about a person’s physical and mental health; information about a person’s geolocation; and access to private digital photographs and videos.
  • Requires companies to inform federal law enforcement of all large breaches, as well as breaches that involved federal government databases or law enforcement or national security personnel. 
  • Guarantees a federal baseline of strong consumer privacy protections for all Americans by preempting weaker state laws, while leaving stronger state laws in place.

 

Democratic Senators cosponsoring the bill also called for increased protections for consumers.

Senator Markey said: “Data breaches are a black cloud hanging over the United States’ bright economic horizon, threatening identity theft or fraud every time consumers make a purchase.  Congress must act swiftly to ensure that Americans’ personal and sensitive information is properly safeguarded.  The Consumer Privacy Protection Act requires companies to adhere to strong data security standards and creates penalties for companies that fail to meet them.  I thank Senator Leahy for his leadership on this issue and look forward to working with my colleagues to pass this important legislation.” 

Senator Warren said: “It is critical that companies take steps to protect consumers from data breaches and inform them when those protections fail.  The Consumer Privacy Protection Act raises the standard that companies across the country must meet and recognizes the important role that states have in enforcing their own strong consumer data protections.”

Senator Blumenthal said: “This legislation will create higher security standards for the companies that collect and store invaluable personal information.  It will also expand the scope of protected information beyond just credit cards to include pictures and email accounts, and ensure consumers are immediately notified if the security of their personal information is breached.  Our digital lives have expanded beyond just credit cards numbers – we now store photos of kids, health information, and personal correspondence online and they are all targets for cybercriminals. We must ensure consumers have strong protections on the federal level, but in so doing, we must make sure Congress doesn’t weaken state protections that consumers rely on to keep their information safe.  Importantly, this measure strikes the right balance between state rights and strong federal enforcement and extends consumer privacy protections into a new digital era.”

Senator Wyden said: “Oregonians’ usernames, passwords and photos can be just as sensitive as a social security number.  Consumers deserve to know when their data is compromised and for companies to take securing their private information seriously.  The Consumer Privacy Protection Act is the right approach to cybersecurity: increasing security while also increasing user privacy.”