Senators Introduce Data Breach Disclosure Legislation

Dec. 4, 2017
Three Democratic senators—Florida Senator Bill Nelson, Senator Richard Blumenthal of Connecticut and Wisconsin Senator Tammy Baldwin—introduced legislation which requires companies to promptly report data breaches and imposes new criminal penalties for executives who try to deliberately conceal data breaches.

Three Democratic senators—Florida Senator Bill Nelson, Senator Richard Blumenthal of Connecticut and Wisconsin Senator Tammy Baldwin—introduced legislation which requires companies to promptly report data breaches and imposes new criminal penalties for executives who try to deliberately conceal data breaches.

The proposed bill, the Data Security and Breach Notification Act, was introduced in the wake of Uber’s recent disclosure of a major 2016 data breach. According to Uber, hackers accessed the personal information of 57 million riders and drivers last year, a breach that the company didn’t disclose publicly until two weeks ago. At the time of the breach, Uber paid hackers $100,000 to destroy the data and did not tell regulator or users that their information was stolen, according to media reports.

The legislation would, among other things, require companies to notify consumers of a data breach within 30 days; and make it a crime – punishable by up to five years in prison – for knowingly concealing a breach.  

“We need a strong federal law in place to hold companies truly accountable for failing to safeguard data or inform consumers when that information has been stolen by hackers,” Sen. Nelson said in a statement. “Congress can either take action now to pass this long overdue bill or continue to kowtow to special interests who stand in the way of this commonsense proposal.  When it comes to doing what’s best for consumers, the choice is clear.”

The bill would require covered entities that own or possess data in electronic form containing personal information must provide notification to users or consumers within 30 days of the discovery of a data breach unless a U.S. federal law enforcement or intelligence agency exempts the entity from informing the public.

The bill also proposed that a covered entity cannot will not be held to that 30 days notification window if the company or organization can show that it’s not feasible in order to accurately identify affected consumers or to prevent further breach or unauthorized disclosures or to reasonably restore the integrity of the data system.

In addition, the bill proposes to make the willful concealment of a breach a crime punishable by up to five years in prison.

The bill also directs the Federal Trade Commission (FTC) to develop strict security standards that businesses would be required to follow to better protect consumers' personal and financial data. It also provides incentives to businesses that adopt new technologies that make consumer data unusable or unreadable if stolen during a breach.

Sponsored Recommendations

A Comprehensive Workplace Safety Checklist

This checklist is designed for healthcare facilities focused on increasing workplace safety. It’s meant to inspire ideas, strengthen safety plans, and encourage joint commission...

Healthcare Rankings Report

Adapting in Healthcare: Key Insights and Strategies from Leading Systems As healthcare marketers navigate changes in a volatile industry, they know one thing is certain: we've...

Healthcare Reputation Industry Trends

Navigating the Tipping Point: Strategies for Reputation Management in a Volatile Healthcare Environment As healthcare marketers navigate changes in a volatile industry, they can...

Clinical Evaluation: An AI Assistant for Primary Care

The AAFP's clinical evaluation offers a detailed analysis of how an innovative AI solution can help relieve physicians' administrative burden and aid them in improving health ...