Top Democrats on the Senate Commerce Committee are renewing efforts to pass a law requiring companies to quickly notify consumers in the wake of a data breach, citing recent news that Uber suffered a breach more than a year ago and responded by paying the hackers responsible $100,000 in exchange for their silence.
The bill, known as the Data Security and Breach Notification Act, seeks to implement nationwide breach notification standards and replace the confusing patchwork of state laws currently in place. If signed into law, the bill as is would impose new penalties on anyone convicted of “intentionally and willfully” concealing a data breach, including fines and up to five years imprisonment, or both.
The act is sponsored by Sen. Bill Nelson of Florida, the commerce committee’s ranking Democrat, as well as Sens. Richard Blumenthal and Tammy Baldwin, Democrats of Connecticut and Wisconsin, respectively.
In a statement, Nelson said a nationwide law was necessary to safeguard consumer data and protect it from being stolen from hackers. “Congress can either take action now to pass this long overdue bill or continue to kowtow to special interests who stand in the way of this commonsense proposal. When it comes to doing what’s best for consumers, the choice is clear,” he said.
Blumenthal, who regards Uber’s handling of its data breach, which impacted as many as 57 million consumers, as “yet another example of corporate carelessness in the face of a cyber intrusions,” remarked that for any notification law to have teeth, it must come backed with “stiffer enforcement and stringent penalties.”
Citing the incident at Equifax this year, in which executives waited 41 days to notify the public after learning of a breach, Bray urged Congress to take immediate action. The Equifax breach is said to have affected as many as 145.5 million US consumers. More than 200,000 of those people had their credit card information stolen, the credit-reporting agency previously said.
The bill, a copy of which can be read below, directs the Federal Trade Commission (FTC) to develop new security standards for the purpose of aiding businesses that handle consumers’ personal and financial data. The FTC would also be tasked with providing “incentives” to businesses for the adoption of technology that makes consumer data “unusable or unreadable if stolen during a breach.”
Under the act, companies would be required to create procedures for assessing “reasonably foreseeable” vulnerabilities in their systems, as well as implement a process for destroying sensitive consumer data no longer in use—or else render it “permanently unreadable or indecipherable.”
The Democrats’ bill is but one of a handful to be introduced this year concerning data breaches and specifically the issue of public notification. During a hearing with current and former Equifax and Yahoo executives this year, both Democrats and Republicans were adamant that such protections are needed.
But as for whether Republicans lawmakers will line up behind the Data Security and Breach Notification Act, we’ll have to wait and see.