[Congressional Record Volume 161, Number 64 (Thursday, April 30, 2015)]
[Senate]
[Pages S2577-S2578]
From the Congressional Record Online through the Government Publishing Office [www.gpo.gov]

      By Mr. LEAHY (for himself, Mr. Franken, Ms. Warren, Mr. 
        Blumenthal, Mr. Wyden, and Mr. Markey):
  S. 1158. A bill to ensure the privacy and security of sensitive 
personal information, to prevent and mitigate identity theft, to 
provide notice of security breaches involving sensitive personal 
information, and to enhance law enforcement assistance and other 
protections against security breaches, fraudulent access, and misuse of 
personal information; to the Committee on the Judiciary.
  Mr. LEAHY. Mr. President, today, I am introducing the Consumer 
Privacy Protection Act of 2015. This comprehensive legislation will 
help ensure that the corporations Americans entrust with their most 
personal information are taking steps to keep it secure. Data breaches 
continue to plague American businesses and compromise the privacy of 
millions of consumers. At the same time, the amount of information we 
share with corporations who are the target of these breaches is 
growing. Corporations collect and store our social security numbers, 
our bank account information, and our email addresses. They collect 
information about our private health and medical conditions. They know 
what routes we take to and from work and where we drop our kids off at 
school. They can replicate our fingerprints. We even trust them with 
private photographs that we store in the cloud.
  Corporations benefit financially from our personal information, and 
they should be obligated to take steps to keep it safe. Too often, 
however, private information falls into the hands of those who would do 
us harm and we are not even told. Last year, in what is commonly 
referred to as the ``Year of the Data Breach,'' breaches at 
corporations, including Home Depot, Neiman Marcus, and Sony Pictures, 
as well as many others, demonstrated how vulnerable our corporations 
are to hackers and cyber criminals. In some cases these breaches 
exposed credit card data, social security numbers, or bank account 
information that left millions at risk of financial fraud or identity 
theft, and in other cases they exposed personal and private information 
to the public that led to embarrassment and reputational harm.
  The Consumer Privacy Protection Act I am introducing today seeks to 
protect the vast amount of information that we now share with 
corporations each and every day, and it builds and expands on data 
security legislation that I have introduced every Congress since 2005. 
In today's modern world, data security is no longer just about 
protecting our identities and our bank accounts; it is about protecting 
our privacy. Americans want to know when someone has had unauthorized 
access to their emails, to their bank accounts, and to their private 
family pictures, but they do not just want to be notified of yet 
another data breach. Americans want to know that the corporations who 
are profiting from their information are actually doing something to 
prevent the next data breach. Consumers should not have to settle for 
mere notice of data breaches. American consumers deserve protection. 
This legislation would accomplish that.
  The Consumer Privacy Protection Act requires that corporations meet 
certain privacy and data security standards to keep information they 
store about their customers safe, and requires that corporations notify 
the customer in the event of a breach. This legislation protects broad 
categories of data, including, social security numbers and other 
government-issued identification numbers; financial account 
information, including credit card numbers and bank accounts; online 
usernames and passwords, including email names and passwords; unique 
biometric data, including fingerprints; information about a person's 
physical and mental health; information about geolocation; and access 
to private digital photographs and videos.
  I understand that not every breach can be prevented. Cyber criminals 
are determined and constantly looking for new ways to pierce the most 
sophisticated security systems. But just as we expect a bank to put a 
lock on the front door and an alarm on the vault to protect its 
customers' money, we expect corporations to take reasonable measures to 
protect the personal information they collect from us. Unfortunately, 
many of the corporations that profit from the very information that we 
entrust them to protect, have woefully inadequate measures to secure 
this information. For others, security is simply not a priority. 
American consumers deserve better.
  This legislation creates civil penalties for corporations that fail 
to meet the required privacy and data security standards established in 
the bill or fail to notify customers when a breach occurs. The 
Department of Justice, the Federal Trade Commission, and the State 
Attorneys General each have a role in enforcement. This legislation 
also requires corporations to inform Federal law enforcement, such as 
the Secret Service and the FBI, of all large data breaches, as well as 
breaches that could impact the federal government. Such notification is 
necessary to help law enforcement bring these cyber criminals to 
justice and identify patterns that help protect against future attacks.
  Many Americans understandably assume Federal law already protects 
this sensitive information--common sense tells us that it should. 
Unfortunately, the reality is that it does not. States provide a 
patchwork of protection, and while some laws are strong, others are 
not. For example, 47 States and the District of Columbia require some 
form of data breach notification, but only 12 States have passed data 
security requirements designed to prevent data breaches. My home state 
of Vermont has a strong data breach notification law that has been in 
effect since 2007.
  In crafting Federal law, we must be careful not to override the 
strong State laws that took years to accomplish with weaker Federal 
protections, but we also need to ensure that all Americans, regardless 
of where they live, have their privacy protected. To this end, the 
Consumer Privacy Protection Act preempts State law relating to data 
security and data breach notification only to the extent that the 
protections under those laws are weaker than those provided for in this 
bill. We must ensure that consumers do not lose privacy protections 
they currently enjoy. Since this bill is modeled after those States 
with the strongest consumer protections, however, I believe it will 
improve protections for consumers in nearly every State.
  I am joined today by Senators Franken, Warren, Blumenthal, Wyden, and 
Markey in introducing this legislation. These Senators have long shared 
my commitment to protecting consumer privacy. This legislation also has 
the support of leading consumer privacy advocates, including: Center 
for Democracy and Technology, Consumers Union, National Consumers 
League, New America's Open Technology Institute, Consumer Federation of 
America, and Privacy Rights Clearinghouse.
  Millions of Americans who have had their personal information 
compromised or stolen as a result of a data

[[Page S2578]]

breach consider this issue to be of critical importance and a priority 
for the Senate. Protecting privacy rights should be important to all of 
us, regardless of party or ideology. I hope that all Senators will 
support this measure to better protect Americans' privacy.
                                 ______