This story appeared on Network World at


The Leahy privacy bill: coddling the criminals?


By Scott Bradner, Network World, 02/19/07


After the data breach about a year ago that exposed the personal information of some congressmen, I was sure that there would soon be a federal bill enhancing privacy protections (See Privacy: A personal touch).


But that was not to be.


I guess the big companies that make a profit by violating your and my personal space have enough clout on Capital Hill to even get a congressman whose data was exposed to back off. When the election changed the power picture in Washington, D.C., I had a little burst of hope that something meaningful would happen in this space, but I'm mostly disappointed in what the change has actually brought.


In early February, Senators Patrick Leahy (D-Vt.), chairman of the Senate Judiciary Committee, and Bernie Sanders (I-Vt.) introduced the "Personal Data Privacy and Security Act Of 2007."


From the press release and a quick read of the proposed legislation, it looks quite good. Even in a more detailed reading the bill has some good stuff in it, but in the end the bill does more to protect the people who are sloppy with your data than have any real teeth to prevent the sloppiness in the first place.


The bill concerns itself with the protection of "sensitive personally identifiable information." This includes your name along with Social Security number, passport number or driver's license number, your home address and mother's maiden name or your date of birth, a biometric ID (e.g., fingerprint), bank account number and PIN, or credit card and security code (Note that the new RFID passports may meet this definition because they include your name and picture). As you might expect, the bill would override any state or local laws that address the same issues.


Under the bill, anyone who has this information about you must endeavor to protect it "equal to industry standards" and must notify you if it is improperly accessed. Failure to notify, even where there is just one person's information exposed, can generate a fine of $1,000 per day, as much as $250,000 and as many as five years in jail. These can be doubled if the failure is intentional and willful.


Under the bill, you can ask to see your record (not including any list of purchases they might have for you) that is held by a data broker and ask for it to be corrected if you see anything wrong. The broker can tell you to go away if it wants to claim you are being "frivolous."


The bill would require that anybody or company that has personal information about more than 10,000 "U.S. persons" to create a protection program much like the Gramm-Leach Bliley Act requires (a risk assessment, employee training, etc). Fines of $5,000 per day can be imposed for failure to have the protections or have such a program -- also doubled if intentional or willful.


Charges for violations under this bill can be brought by state attorneys general or by the Federal Trade Commission (FTC). The bill removes any right for the party hurt by the exposure -- i.e., you -- to bring private action.


Taking all enforcement out of the hands of the citizens basically removes any incentive for a company to do the right thing. In almost all cases the FTC does not fine anyone, but just makes them promise not to be bad in the future. The FTC does not make organizations exposing private data admit they were bad this time. Few state attorneys general seem to be interested in this soft of a thing -- Eliot Spitzer, New York's former attorney general, was an exception.


So by blocking the ability for private action, this bill tells businesses that they will get a free pass if they mess up. It is hardly a pro-privacy clarion call. It's all very disappointing, but sadly, not all that surprising considering we are talking about Washington.


Disclaimer: Harvard trains lawyers who can help correct Washington's lapses, but only if they are permitted to do so. The above is my opinion, not the Law School's or Harvard's.