S.1490 - Personal Data Privacy and Security Act of 2009

A bill to prevent and mitigate identity theft, to ensure privacy, to provide notice of security breaches, and to enhance criminal penalties, law enforcement assistance, and other protections against security breaches, fraudulent access, and misuse of personally identifiable information.

Bill text Introduced 7/22/09:
http://www.opencongress.org/bill/111-s1490/text

Update: 11/5/09

S. 1490, Personal Data Privacy and Security Act of 2009 (Leahy, Specter, Feingold, Schumer, Cardin)
Ordered Reported by Roll Call Vote, 14 - 5

Amendment GRA09882 (Leahy) Adopted by Unanimous Consent
http://judiciary.senate.gov/legislation/upload/GRA09882-Data-Privac...

Amendment GRA09859 (Sessions) Rejected by Roll Call Vote, 6 - 13

Amendment GRA09884 (Kyl) Rejected by Roll Call Vote, 7 - 12

Amendment GRA09876 (Coburn) Withdrawn

Amendment GRA09877 (Coburn) Withdrawn

Amendment GRA09857 (Sessions) Withdrawn

Amendment GRA09889 (Kyl) Withdrawn

Tags: data.privacy, s.1490, security

Comment by Gina McNaughton on November 6, 2009 at 3:03pm: I am still reading through the 70 page document.
This summary may help..

Official Summary
7/22/2009--Introduced.Personal Data Privacy and Security Act of 2009 - Amends the federal criminal code to:
(1) make fraud in connection with the unauthorized access of sensitive personally identifiable information (in electronic or digital form) a predicate for racketeering charges; and
(2) prohibit concealment of security breaches involving such information. Directs the U.S. Sentencing Commission to review and amend its guidelines relating to fraudulent access to, or misuse of, digitized or electronic personally identifiable information (including identify theft). Amends the federal bankruptcy code to:
(1) define "identify theft" and "identify theft victim" for bankruptcy purposes; and
(2) prohibit the dismissal or conversion of a Chapter 7 bankruptcy case if the debtor is an identity theft victim. Requires a data broker to:
(1) disclose to an individual, upon request, personal electronic records pertaining to such individual maintained for disclosure to third parties;
(2) disclose adverse actions by third parties against an individual; and
(3) maintain procedures for correcting inaccuracies and incompleteness in such records. Establishes standards for developing and implementing safeguards to protect the security of sensitive personally identifiable information. Imposes upon business entities civil penalties for violations of such standards. Requires such business entities to notify:
(1) any individual whose information has been accessed or acquired;
(2) all nationwide consumer reporting agencies if an entity is required to notify more than 5,000 such individuals; and
(3) the U.S. Secret Service if the number of individuals involved exceeds 10,000. Authorizes the Attorney General and state attorneys general to bring civil actions against business entities for violations of this Act. Establishes in the Federal Trade Commission (FTC) an Office of Federal Identity Protection. Requires the Administrator of the General Services Administration (GSA), in considering contract awards totaling more than $500,000, to evaluate:
(1) the data privacy and security program of a data broker;
(2) program compliance;
(3) the extent to which databases and systems have been compromised by security breaches; and
(4) data broker responses to such breaches. Requires federal agencies to conduct a privacy impact assessment before purchasing personally identifiable information from a data broker. Requires the Department of Justice to designate a department-wide Chief Privacy Officer.