Data Breach Legislation: What’s Happening in Washington

Posted by Anna Kragie on Dec 8, 2017 8:59:36 AM

While most attention at the moment in Washington, D.C., is on the heavily debated tax bill, there’s another proposed bill that could have major implications for businesses hit by a data breach.

A re-introduced bill, the Data Security and Breach Notification Act, proposes harsher sentences for company executives who fail to notify consumers of a breach. The initial terms of the bill calls for jail time for those who are aware of breaches, yet fail to alert consumers in a timely fashion.

"We need a strong federal law in place to hold companies truly accountable for failing to safeguard data or inform consumers when that information has been stolen by hackers," said Sen. Bill Nelson, D-FL, a sponsor of the bill, wrote in a statement. "Congress can either take action now to pass this long overdue bill or continue to kowtow to special interests who stand in the way of this commonsense proposal. When it comes to doing what's best for consumers, the choice is clear."

What Sparked The Latest Bill

Nelson, the top democrat on the Senate Commerce Committee, filed the legislation late last month. This move occurred shortly after it was revealed that Uber suffered a massive data breach in 2016 that impacted 57 million accounts and the names and driver's license numbers of 600,000 U.S. drivers. Uber has faced backlash since, including reports that the company reportedly paid a 20-year-old man to keep quiet about the details of the data breach. Uber reportedly paid hackers $100,000 ransom to delete the stolen personal data and never informed the media or the public about the incident.

Events like this, and the massive Equifax breach that exposed the personal data (including financial information) of over 145 million Americans, have led members of Congress to determine how leaders of companies hit by data breaches should be held responsible.

The legislation cracks down on company employees who attempt to cover up data breaches, and also calls on the FTC to create stricter security standards to better protect consumers’ personal and financial data. Beyond implementing regulation and punishments for those who don’t abide, the legislation also introduces incentives for businesses who integrate new technologies to protect consumer data by making it unusable/unreadable if it was ever stolen in a data breach.

How It Impacts Companies' Response To Data Breaches

Under the proposed legislation, knowingly hiding a data breach could be crime punishable by up to five years in prison. The bill requires businesses to provide notification to impacted customers or users within 30 days of learning of the breach. There is, however, some leeway in the bill for companies to extend that deadline in order for companies to “accurately identify affected consumers; to prevent further breach or unauthorized disclosures; or to reasonably restore the integrity of the data system," according to the bill.

Nelson first introduced this act in 2015, and again last year in committee. Currently, 48 U.S. states have data breach regulation laws, but they aren’t consistent across each state. This proposed bill follows other legislation that was proposed this year following the Equifax data breach. The Data Broker Accountability and Transparency Act, as its called, is designed to required data brokers to create privacy and security measures for notifying the public after a breach.