Three Democratic senators—Florida Senator Bill Nelson, Senator Richard Blumenthal of Connecticut and Wisconsin Senator Tammy Baldwin—introduced legislation which requires companies to promptly report data breaches and imposes new criminal penalties for executives who try to deliberately conceal data breaches.
The proposed bill, the Data Security and Breach Notification Act, was introduced in the wake of Uber’s recent disclosure of a major 2016 data breach. According to Uber, hackers accessed the personal information of 57 million riders and drivers last year, a breach that the company didn’t disclose publicly until two weeks ago. At the time of the breach, Uber paid hackers $100,000 to destroy the data and did not tell regulator or users that their information was stolen, according to media reports.
The legislation would, among other things, require companies to notify consumers of a data breach within 30 days; and make it a crime – punishable by up to five years in prison – for knowingly concealing a breach.
“We need a strong federal law in place to hold companies truly accountable for failing to safeguard data or inform consumers when that information has been stolen by hackers,” Sen. Nelson said in a statement. “Congress can either take action now to pass this long overdue bill or continue to kowtow to special interests who stand in the way of this commonsense proposal. When it comes to doing what’s best for consumers, the choice is clear.”
The bill would require covered entities that own or possess data in electronic form containing personal information must provide notification to users or consumers within 30 days of the discovery of a data breach unless a U.S. federal law enforcement or intelligence agency exempts the entity from informing the public.
The bill also proposed that a covered entity cannot will not be held to that 30 days notification window if the company or organization can show that it’s not feasible in order to accurately identify affected consumers or to prevent further breach or unauthorized disclosures or to reasonably restore the integrity of the data system.
In addition, the bill proposes to make the willful concealment of a breach a crime punishable by up to five years in prison.
The bill also directs the Federal Trade Commission (FTC) to develop strict security standards that businesses would be required to follow to better protect consumers' personal and financial data. It also provides incentives to businesses that adopt new technologies that make consumer data unusable or unreadable if stolen during a breach.