A reintroduced Senate bill is addressing a timely topic. The bill aims to make it a crime, punishable by up to five years in prison, if companies knowingly conceal a data breach. After a year of high-profile cyber attacks, like the Equifax breach, and news that Uber concealed a breach impacting 57 million users for a year, Sen. Bill Nelson, is reviving a previously unsuccessful bill called the "Data Security and Breach Notification Act."
If passed, the new federal law would overrule the many statewide laws regulating breach notifications by establishing a nationwide standard. Currently, 48 states have data breach notification laws that require companies to report hacks. They vary by state.
The law would include a requirement for companies to notify customers within 30 days, along with the potential criminal penalties. The bill would also impose new penalties on anyone convicted of “intentionally and willfully” concealing a data breach, including fines and up to five years imprisonment, or both.
The bill will also require the Federal Trade Commission to draft security protocols for use by all businesses that handle consumers’ personal and financial data. These protocols include designating a chief privacy officer, establishing a process to identify vulnerabilities, have a process for the disposal of information, etc. It would also incentivize organizations that use new technologies to make stolen data unreadable or unusable if stolen during a breach.
The bill is sponsored by Sen. Bill Nelson of Florida, the commerce committee’s ranking Democrat, as well as Senators Richard Blumenthal and Tammy Baldwin, Democrats of Connecticut and Wisconsin, respectively.
“We need a strong federal law in place to hold companies truly accountable for failing to safeguard data or inform consumers when that information has been stolen by hackers,” Nelson said in a statement.
“Congress can either take action now to pass this long overdue bill or continue to kowtow to special interests who stand in the way of this commonsense proposal, he continued. When it comes to doing what’s best for consumers, the choice is clear.”
Blumenthal, who regards Uber’s handling of its data breach as “yet another example of corporate carelessness in the face of a cyber intrusions,” remarked that for any notification law to have teeth, it must come backed with “stiffer enforcement and stringent penalties.”
The Democrats’ bill is but one of a handful to be introduced this year concerning data breaches and specifically the issue of public notification. Another piece of legislation proposed earlier this year aims to instill clearer rules around data breach disclosures. The Data Broker Accountability and Transparency Act, introduced by Blumenthal following the Equifax breach, would require data brokers to create privacy and security measures for notifying the public after a breach.
During a hearing with current and former Equifax and Yahoo executives this year, both Democrats and Republicans were adamant that such consumer protections are needed.
Breadcrumb is a cybersecurity and executive advisory firm. Located in Central California, we partner with organizations throughout the US, protecting their critical assets from cyber breach. Contact us today for a no-obligation consultation.