Featured Eseminar Auditor Download GuardianEdge Federal GuardianEdge

“With GuardianEdge Encryption Anywhere Hard Disk installed on all of our notebook PCs, we have an invaluable asset for mitigating the risk of proprietary data loss for our mobile workforce.”

—Joe Rumpler, IT shareholder, Clark Schaefer, Hackett & Co.

Specter-Leahy Bill FAQs


Data Privacy & Protection Act of 2005: Specter-Leahy Bill FAQs

This page contains answers to the most commonly asked questions about the Data Privacy & Protection Act of 2005, frequently referred to as the “Specter-Leahy” bill.

  1. What is “Specter-Leahy?”
  2. What is the purpose of the Specter-Leahy bill?
  3. Why is this bill necessary?
  4. What rules does this bill propose?
  5. What are the penalties for non-compliance?
  6. Who is subject to compliance?
  7. Who is NOT subject to compliance?
  8. Does encryption grant “safe harbor” from the Specter-Leahy bill?
  9. How can my organization prepare for the Specter-Leahy bill?
  10. How can GuardianEdge solutions help my organization manage compliance?

1) What is “Specter-Leahy”?

Specter-Leahy is a legislative bill originally sponsored by U.S. Senators Arlen Specter and Patrick Leahy. The reference code for this bill is “S.1789” and the bill is entitled, “The Data Privacy and Security Act of 2005.” Recently, Senators Dianne Feinstein and Russell Feingold have been added as co-sponsors of this bill, so one could technically refer to it as the “Specter-Leahy-Feinstein-Feingold” bill.

2) What is the purpose of Specter-Leahy?

The purpose of the Specter-Leahy bill is to:

  • Prevent and mitigate identity theft
  • Ensure privacy and provide notice of security breaches to affected individuals
  • Enhance criminal penalties, law enforcement assistance and other protections against security breaches, fraudulent access and misuse of personally identifiable information

3) Why is this bill necessary?

Congress has determined that databases of personally identifiable information are increasingly prime targets of hackers, identity thieves, rogue employees and other criminals. Identity theft, in particular, is a serious threat to the nation’s economic stability, homeland security, the development of e-commerce, and the privacy rights of Americans.

In the face of these findings, Congress believes this bill is necessary to ensure the right of consumers and identity theft victims to information and assistance that will help them mitigate damages and restore the integrity of their personal information.

4) What rules does this bill propose?

In general, the bill proposes new rules that would require business entities that own, use or license personally identifiable information to adopt reasonable procedures to ensure that security, privacy and confidentiality of that information. There are a myriad of new regulations contained within this bill; Title IV of the Specter-Leahy bill is of particular interest because it introduces two new areas of Due Diligence for organizations that use personal electronic records:

  • Implementation of a data privacy and security program
  • Public notification of security breaches involving personal information

Data privacy and security program

The Specter-Leahy bill requires affected agencies and businesses to enact a comprehensive data privacy and security program. This program must include technical safeguards such as encryption for protecting personally identifiable information during use, transmission, storage and disposal.

Notification of security breach

This is a long and complex requirement that covers the timeliness, scope and several other elements of the notification process. The important point to take away is that the “burden of proof” is on the affected agency or business; these organizations “shall have the burden of demonstrating that all notifications were made as required under this subtitle, including evidence demonstrating the necessity of any delay.”

5) What is the penalty for failure to comply with Title IV rules?

Data privacy and security program

Non-compliance carries a civil fine of $5,000 per violation, per day while the violation persists. There is a daily maximum of $35,000. These fines double if the violation is found to be willful or intentional.

Notification of security breach

Non-compliance carries a civil fine of $1,000 per day for every affected individual who has not notified in a timely manner. This fee is assessed daily while the violation persists. There is a daily maximum of $50,000. These fines double if the violation is found to be willful or intentional.

In addition, any person or organization that is found to have willfully or intentionally concealed a security breach can be imprisoned for up to 5 years.

6) Who must comply with these requirements?

Any business entity engaging in interstate commerce that involves collecting, accessing, transmitting, using, storing or disposing of sensitive personally identifiable information in electronic or digital form on 10,000 or more United States persons.

7) Who is NOT required to comply with these requirements?

Title IV rules do not apply to organizations that are subject to either the Gramm-Leach-Bliley Act (GLBA)—e.g. financial institutions—or the Health Insurance portability and Accountability Act (HIPAA)—e.g. health care service providers.

In addition, there are a number of instances in which an organization may claim exemption from Title IV rules; however, most or all of these involve the explicit approval of a government entity such as the FTC or the United States Secret Service.

8) Does encryption provide safe harbor from Title IV rules?

It is important to note that Specter-Leahy does not require encryption per se, nor does use of encryption to protect data grant a blanket exemption from the rules set forth in Title IV of the Specter-Leahy bill. This is partially in recognition of the ever-evolving nature of encryption technology and the difference between strong and weak encryption.

However, the bill effectively recognizes encryption as a vital component of any data security program and explicitly recognizes encryption as an effective technical safeguard during the use, transmission, storage and disposal of personal electronic records. Thus, organizations that use encryption will find it much easier to demonstrate the effectiveness of their data privacy and security programs than organizations that do not employ encryption technologies.

9) How can my organization prepare for Specter-Leahy or other data protection laws?

Compliance for the sake of compliance is not an effective business strategy. Organizations that take this approach will get caught up in interpreting the letter of each law, and are likely to develop points of pain as they react to changes in the regulatory environment. Many organizations, for example, are still reeling from the passage of the Sarbanes-Oxley Act and have yet to institute all the controls necessary for compliance.

In contrast, those who adopt a security-as-opportunity approach (a proactive, rather than reactive, model) are more likely to implement encryption in a strategic manner. Encryption is a particularly powerful method for securing data at the perimeter of the corporate network, where it often leaves the office on laptops, PDAs and removable storage devices. Even more important is to encrypt the hard disk or memory chip itself, not just specific files or file types. These days, it is all too easy for someone to comb through temporary files, recover deleted data or hack into the operating system itself.

Encryption is one of the most comprehensive and cost-effective methods for managing compliance with data security regulations. Organizations that use encryption to secure data gain the foundation for demonstrating the effectiveness of their security measures to authorities and the public in the event of a security breach. The key to using encryption or any other data security solution is to act quickly and proactively with clear strategic goals in mind. By adopting a security-as-opportunity approach, you can stay ahead of the compliance curve, ahead of identity thieves and other cyber-criminals and ahead of your competitors, transforming the ball-and-chain of data security into a strategic opportunity for your organization.

10) How can GuardianEdge Technologies help my organization manage regulatory compliance more effectively?

GuardianEdge is a market leader in reducing the cost and complexity of enterprise data security. Customers around the world depend on GuardianEdge solutions to ensure compliance with rules for safeguarding privacy, to protect sensitive and proprietary information and to enable secure enterprise mobility. Established in 1984, GuardianEdge serves an installed base of more than half a million active users at leading global corporate and governmental organizations, including Lockheed Martin Corp., Deutsche Bank AG and Humana Inc.

For more information about how GuardianEdge Technologies can help your organization get ahead of the compliance curve and turn data security into a business enabler, visit our products page or contact a GuardianEdge representative today.