Bill Calls for Stiff Fines for Online Privacy AbusePersonal Data Protection and Breach Accountability Act Unveiled
If those phishers get caught and convicted, they could face up to five years in prison and/or a $1 million fine, if a bill introduced Thursday in the Senate becomes law. The Personal Data Protection and Breach Accountability Act of 2011, known as S. 1535, is the latest of about a dozen bills introduced this year in Congress aimed at protecting individuals' online privacy.
Sen. Richard Blumenthal, the Connecticut Democrat who serves on the Senate Judiciary Committee's Privacy, Technology and the Law Subcommittee, introduced the bill, which was assigned to the Judiciary Committee for review.
Elements of the 100-page bill, if enacted, are aimed at companies that store online data for more than 10,000 people, establishing regulations focused on specific storage guidelines to safeguard personal information. Companies failing to comply, if the bill becomes law, face severe financial penalties.
The bill criminalizes the installation of software aimed to collect sensitive, personally identifiable information unless the computer owner is clearly notified and/or gives permission. It also makes it illegal for an Internet service provider or another entity to bypass the display of search engine results and take users to commercial websites, counterfeit web pages or targeted advertisements that derive an economic benefit from such activity. Individuals found to consistently violating these provisions face a maximum sentence of five years in prison and/or a $1 million fine.
Blumenthal sees data privacy as a significant problem. His bill states that more than 9.3 million individuals fell victim to identity theft in the United States last year.
The freshman senator's interest in computer privacy predates his election to Congress last November. As the Connecticut attorney general, he got insurer Health Net, which agreed in July 2010 to pay $250,000 in damages and offer stronger consumer protections to settle a HIPAA civil lawsuit he filed in federal court (see Health Net Settles Breach Suit). The case, dating back to May 14, 2009, involved the loss of an unencrypted portable disk drive holding records for more than 500,000 enrollees in Connecticut and more than 1.5 million consumers nationwide. The suit was the first of its kind filed in the wake of the HITECH Act, which allows state attorneys general to bring civil action in federal court for violations of the HIPAA security and privacy rules.
In May, Blumenthal was one of five senators that asked the Securities and Exchange Commission to issue guidance regarding the disclosure of information security risks, including material network breaches, because of inconsistencies in reporting, investor confusion and the national importance of addressing cybersecurity (see Senators Ask SEC to Issue IT Security Guidance).