Three Democratic senators introduced legislation Thursday requiring companies to notify customers of data breaches within 30 days of their discovery and imposing a five year prison sentence on organizations caught concealing data breaches.
The new bill, called the Data Security and Breach Notification Act, comes in the wake of reports that Uber paid $100,000 to cover up a 2016 data breach that affected 57 million users.
“We need a strong federal law in place to hold companies truly accountable for failing to safeguard data or inform consumers when that information has been stolen by hackers,” Sen. Bill Nelson, D-Fla., said in a statement. “Congress can either take action now to pass this long overdue bill or continue to kowtow to special interests who stand in the way of this commonsense proposal. When it comes to doing what’s best for consumers, the choice is clear.”
The scope of the legislation is limited. For instance, if only a last name, address or phone number is revealed in a breach, the law would not apply. If an organization “reasonably concludes that there is no reasonable risk of identity theft, fraud, or other unlawful conduct,” the incident is considered exempt from the legislation.
Nelson, the top Democrat on the Senate Commerce Committee, filed the legislation Thursday with co-sponsors Richard Blumenthal, D-Conn., and Tammy Baldwin, D-Wis.
Nelson introduced similar legislation last year. He spoke about the need for legislation at a hearing on data breaches earlier this month:
The bill also directs the Federal Trade Commission (FTC) to create security standards for the protection of consumer data and, in Nelson’s words, “provides incentives to businesses that adopt new technologies that make consumer data unusable or unreadable if stolen during a breach.”
The idea of a national data breach notification law was gaining traction earlier this year in the wake of the Equifax data breach that affected 145 million people.
Rep. Gerry Connolly, D-Va., told CyberScoop he was hoping for a national standard to evolve among the private sector, but massive breaches like Equifax may force Congress’s hand.
Congress doesn’t “want to upset the technology community with obtrusive regulation,” but the private sector has been poor in instilling confidence that it will act in the public’s best interest, he said.
“I think it’s headed that way absent some fresh look by industry, a benchmark standard that everybody’s accepted voluntarily to meet, so that federal regulation is unnecessary,” Connolly told CyberScoop in October. ”I think Equifax is a great test of whether industry is capable of meeting that test.”
Currently, 48 states have their own data breach notification laws, but they differ wildly.
You can read the bill in full below.
Greg Otto contributed to this report.
Correction: The Equifax data breach impacted 145 million individuals, not 143 million as previously reported.