[Congressional Record Volume 163, Number 186 (Tuesday, November 14, 2017)]
[Senate]
[Pages S7215-S7216]
From the Congressional Record Online through the Government Publishing Office [www.gpo.gov]

      By Mr. LEAHY (for himself, Mr. Markey, Mr. Blumenthal, Mr. Wyden, 
        Mr. Franken, Ms. Baldwin, and Ms. Harris):
  S. 2124. A bill to ensure the privacy and security of sensitive 
personal information, to prevent and mitigate identity theft, to 
provide notice of security breaches involving sensitive personal 
information, and to enhance law enforcement assistance and for other 
protections against security breaches, fraudulent access, and misuse of 
personal information; to the Committee on the Judiciary.
  Mr. LEAHY. Mr. President, today, I am introducing the Consumer 
Privacy Protection Act of 2017. This legislation, if enacted, will help 
ensure that when Americans entrust corporations with their most 
sensitive personal information, these corporations take the right steps 
to keep this information secure, and do the right thing in the event of 
a data breach. In today's modern world, data security is no longer just 
about protecting our identities and our bank accounts; it is about 
protecting our privacy and even our National security.
  The need for this legislation has long been clear, and never more so 
than in the wake of the recent, massive Equifax data breach. After 
media investigations and multiple Congressional hearings, we learned 
that the Equifax breach exposed the sensitive personal information of 
almost half the American population. We also learned that Equifax 
failed to take basic steps to secure its databases, and waited an 
unjustifiably long period before notifying consumers and regulators. 
Clearly, it is past time for all corporations that hold our personal 
information to maintain some common-sense, baseline cybersecurity 
standards.
  Corporations make significant profits from our personal information, 
and they should be obligated to keep it safe. Yet too often, data 
breaches continue to plague American businesses

[[Page S7216]]

and compromise the privacy of millions of consumers. At the same time, 
the amount of information we share with corporations who are the target 
of these breaches is growing. Corporations collect and store our social 
security numbers, our bank account information, and our email 
addresses. They collect information about our private health and 
medical conditions. They know what routes we take to work and where we 
drop our kids off at school. They can replicate our fingerprints or 
even faceprints. We trust them with private photographs that we store 
in the cloud. This information is increasingly targeted by both 
criminal hackers and nation-states, including hostile foreign powers.
  The Consumer Privacy Protection Act I am introducing today is based 
on legislation I first introduced in 2015, and builds and expands on 
data security legislation that I have introduced in Congress since 
2005. It seeks to protect the vast amount of information that we now 
share with corporations each and every day. Americans want to know that 
the corporations who are profiting from their information are actually 
doing something to prevent the next data breach. Americans want to know 
when someone has had unauthorized access to their bank accounts and to 
their private family photographs, but they do not just want to be 
notified of yet another data breach. Consumers should not have to 
settle for mere notice of data breaches. American consumers deserve 
protection. This legislation would accomplish that.
  The Consumer Privacy Protection Act requires that corporations meet 
certain baseline privacy and data security standards to keep 
information they store about their customers safe, and requires that 
corporations provide notice and protection to consumers in the event of 
a breach. This legislation protects broad categories of data, 
including, (1) social security numbers and other government-issued 
identification numbers; (2) financial account information, including 
credit card numbers and bank accounts; (3) online usernames and 
passwords, including email names and passwords; (4) unique biometric 
data, including fingerprints; (5) information about a person's physical 
and mental health; (6) information about geolocation; and (7) access to 
private digital photographs and videos.
  It is true that not every breach can be prevented. Cyber criminals 
and nation-state actors are determined and constantly looking for new 
ways to pierce the most sophisticated security systems. But just as we 
expect a bank to put a lock on the front door and an alarm on the vault 
to protect its customers' money, we expect corporations to take 
reasonable measures to protect the personal information they collect 
from us. Unfortunately, many of the corporations that profit from the 
very information that we entrust them to protect, have woefully 
inadequate measures to secure this information. For others, security is 
simply not a priority. American consumers deserve better and our 
national security demands it.
  This legislation creates civil penalties for corporations that fail 
to meet the required privacy and data security standards established in 
the bill or fail to provide notice and protection to consumers when a 
breach occurs. The Department of Justice, the Federal Trade Commission, 
and State attorneys general each have a role in enforcement. This 
legislation also requires corporations to inform Federal law 
enforcement of all large data breaches, as well as breaches that could 
impact the federal government. Such notification is necessary to help 
law enforcement bring these cyber criminals to justice and identify 
patterns that help protect against future attacks.
  Many Americans understandably assume Federal law already protects 
this sensitive information--common sense tells us that it should. 
Unfortunately, the reality is that it does not. States provide a 
patchwork of protection, and while some laws are strong, others are 
not. For example, my home state of Vermont has a strong data breach 
notification law that that has been in effect since 2007. But there are 
many other States that have not passed data security laws designed to 
prevent data breaches.
  This legislation sets a floor: a baseline standard that that protects 
Americans across the country, while also freeing individual States to 
provide even stronger protections to their residents. In crafting 
Federal law, we must be careful not to override strong State laws, but 
we also need to ensure that all Americans, regardless of where they 
live, have their privacy protected. To this end, the Consumer Privacy 
Protection Act preempts State law relating to data security and data 
breach notification only to the extent that the protections under those 
laws are weaker than those provided for in this bill. We must ensure 
that consumers do not lose privacy protections they currently enjoy. 
Since this bill is modeled after those States with the strongest 
consumer protections, I believe it will improve protections for 
consumers in nearly every State.
  I am joined today by Senators Markey, Blumenthal, Wyden, Franken, and 
Baldwin in introducing this legislation. These Senators have long 
shared my commitment to protecting consumer privacy. This legislation 
also has the support of leading consumer privacy advocates, including: 
the Center for Democracy and Technology, the Consumer Federation of 
America, New America's Open Technology Institute, and Public Knowledge.
  Millions of Americans who have had their personal information 
compromised or stolen as a result of a data breach consider this issue 
to be of critical importance and a priority for the Senate. Protecting 
privacy rights should be important to all of us, regardless of party or 
ideology. I hope all Senators will support this common-sense measure to 
better protect Americans' privacy.

                          ____________________