your connection to The Boston Globe

Leahy tries again with data privacy bill

MONTPELIER, Vt. --U.S. Sen. Patrick Leahy introduced legislation Tuesday aimed at tightening controls on consumers' personal information, citing recent online security breaches in Vermont and elsewhere that exposed thousands to possible identity theft.

Under it, companies that maintain sensitive personal data would be required to notify law enforcement authorities and the affected individuals in the case of breaches, it would become a crime to cover them up and criminal penalties for identity theft would be increased.

"Today, Americans live in a world where their most sensitive personal information can be accessed and sold to the highest bidder, with just a few keystrokes on a computer, yet our privacy laws haven't kept pace," Leahy, D-Vt., said in a prepared statement.

"This comprehensive bill not only deals with the need to provide Americans with notice when they have been victims of a data breach, but also deals with the underlying problem of lax security and lack of accountability to help prevent data breaches from occurring in the first place. Reforms like these are long overdue," he said.

The bill, dubbed the Personal Data Privacy and Security Act of 2007, mirrors one Leahy offered in the last Congress. It would:

--make it a crime to intentionally or willfully conceal a security breach involving personal data

--give individuals access to any personal information held by commercial data brokers, and assure them of the right to correct anything erroneous.

--require entities to establish internal policies that protect personal data and to notify authorities when there's a breach.

--require government to establish rules protecting privacy when it uses information from commercial data brokers.

--require audits of government contracts with data brokers and provide for penalties on contractors who fail to meet data privacy and security requirements.

"This legislation is a critically important tool to protect the privacy of Americans' personal information," said U.S. Sen. Bernie Sanders, I-Vt, a co-sponsor. "Companies who collect personal information have a serious responsibility to safeguard it and this bill would make sure they do that," he said.

Last week, state officials disclosed that a state computer used to track non-custodial parents who owe child support was the victim of a remote attack, jeopardizing nearly 70,000 people whose names, Social Security numbers and bank account information were exposed.

At the time, state officials said there was no indication the information had been used by identity thieves, but they acknowledged it was a possibility. Letters have been sent to the people whose information was exposed, and lawmakers are looking into the breach and how it occurred.

On Wednesday, the state Senate Judiciary Committee and state Senate Government Operations Committee will hold a hearing on the breach.

Last month, The AP reported that the web site of the Vermont Secretary of State's office contained Internet links to business files that held the Social Security numbers of individuals.

In another recent incident involving state government, a state contractor posted on the Internet the Social Security numbers of more than 1,100 doctors, psychotherapists and other health professionals.