Senators introduce data breach disclosure bill
Executives could face jail time for not reporting data breaches in a timely manner, if a proposed bill becomes law.
Three Democrat senators introduced on Thursday the Data Security and Breach Notification Act, which would require companies to report data breaches within 30 days. If an individual knowingly conceals a data breach, they could face up to five years in prison.
The bill’s introduction follows Uber’s recent disclosure of a major 2016 data breach. After hackers stole data on 57 million customers late last year, Uber paid them $100,000 to destroy the data. It did not disclose the breach to the public or regulators until last week.
Data breach notification practices have been in the spotlight over the last few months. Before Uber’s disclosure, a massive Equifax hack exposed names, social security numbers, and other private data on more than 145 million people. It took the credit reporting company 41 days to notify the public of the breach.
The legislation was introduced by Florida Senator Bill Nelson and co-sponsored by Senator Richard Blumenthal of Connecticut and Wisconsin Senator Tammy Baldwin.
“We need a strong federal law in place to hold companies truly accountable for failing to safeguard data or inform consumers when that information has been stolen by hackers,” Nelson said in a statement.
Currently, 48 states have data breach notification laws that require companies to report hacks. They vary by state.
The proposed bill directs the Federal Trade Commission to establish security protocols for businesses to follow as a part of an effort to better protect customer data. It intends to incentivize businesses that use technologies to make stolen data unreadable.
Another piece of legislation proposed earlier this year aims to instill clearer rules around data breach disclosures. The Data Broker Accountability and Transparency Act, introduced by Blumenthal following the Equifax breach would require data brokers to create privacy and security measures for notifying the public after a breach.