The Honorable Russ Feingold

United States Senator
Wisconsin
November 5, 2009

U.S. Senator Russell D. Feingold
Statement for the Record
on the Personal Data Privacy and Security Act of 2009
Judiciary Committee Markup
November 5, 2009

Mr. Chairman, I strongly support the Personal Data Privacy and Security Act of 2009. I know that the Chairman has put a great deal of work into this legislation, as have other members of the Committee. This bill is a much-needed step toward ensuring the privacy and the security of our personal data, which has become such a precious commodity.

In the twenty-first century, several forces are converging to make our personal information more valuable, and vulnerable, than ever. We all know about the security breaches that have been reported on the front pages of newspapers all over the country for the past several years. The Committee Report that was issued in 2007 on this bill vividly demonstrates the scope of the problem that is being addressed. It reproduces data from the Privacy Rights Clearinghouse documenting that from January 1, 2005, to May 21, 2007, the number of records containing sensitive personal information involved in security breaches totaled more than 154 million. And that covers a period of only two and a half years.

But this is about much more than just information security. As news stories have focused on the data broker business, many Americans have been surprised to discover that companies are creating digital dossiers about them that contain massive amounts of information, and that these companies sell that information to commercial and government entities. The revelations about these security breaches highlighted the fact that Americans need a better understanding of what happens to their personal information in a digital world, and what kind of consequences they can face as a result.

There is no question that data aggregators play a valuable role in, for example, allowing consumers to obtain instant credit and personalized services, and police officers to locate suspects. But these companies also gather a great deal of potentially sensitive information about individuals, and in many instances they go largely unregulated.

The Personal Data Privacy and Security Act takes a comprehensive approach to the privacy and security problems we face. While the bill contains many important provisions, I want to highlight one part of the bill that I think is critically important. Title IV of the bill contains privacy and security provisions to govern the government's use of commercial data.

While the government should certainly be able to access commercial databases in appropriate circumstances, there are few existing rules or guidelines to ensure this information is used responsibly. The Privacy Act, which governs when government agencies themselves are collecting data, does not apply when the information is held outside the government and is not gathered solely at government direction.

A comprehensive approach to data privacy and security would be incomplete without addressing this piece of the puzzle. The bill recognizes there are many legitimate reasons for government agencies to obtain commercially available data, but that they need to be subject to privacy and security protections. It takes a common sense approach, requiring government agencies to take basic steps in their contracting to ensure that individuals' personal information is secure and only used for legitimate purposes, and that the commercial information the government is paying for and relying on is accurate and complete. Any privacy legislation we develop and pass in this Committee should include these basic safeguards.

Mr. Chairman, thank you again for your hard work on this bill. I am pleased to cosponsor it, and I look forward to supporting your efforts to report it to the floor. Thank you.