- Florida Senator Bill Nelson introduced legislation toward the end of November 2017 that would require organizations to adhere to a more prompt data breach disclosure process. Companies that do not follow the requirements and attempt to deliberately conceal a data breach would face criminal penalties.
Nelson introduced a similar version of the Data Security and Breach Notification Act in 2016 as well, but was prompted by the large-scale Uber data breach to file the legislation again.
“We need a strong federal law in place to hold companies truly accountable for failing to safeguard data or inform consumers when that information has been stolen by hackers,” Nelson explained in a statement. “Congress can either take action now to pass this long overdue bill or continue to kowtow to special interests who stand in the way of this commonsense proposal. When it comes to doing what’s best for consumers, the choice is clear.”
The bill requires that companies take the following information into consideration with their information security practices:
- The size of, and the nature, scope, and complexity of the activities engaged in by the company
- The current state of the art in administrative, technical, and physical safeguards for protecting such information
- The cost of implementing such safeguards
- The impact on small businesses and non-profits.
Organizations subject to the HITECH Act or the HIPAA Security Rule “shall be deemed in compliance with…respect to any data governed” by those requirements, the legislation states.
Notification must be made “not later than 30 days after the date of discovery of a breach of security” or as soon as possible.
“Any person who, having knowledge of a breach of security and of the fact that notification of the breach of security is required under the Data Security and Breach Notification Act, intentionally and willfully conceals the fact of the breach of security, shall, in the event that the breach of security results in economic harm to any individual in the amount of $1,000 or more, be fined under this title, imprisoned for not more than 5 years, or both,” the bill reads.
The Uber data breach in question raised concerns because company leaders reportedly concealed the incident from drivers and customers for nearly one year. The incident affected 57 million accounts.
Nelson is hardly the first lawmaker to push for change with the data breach notification process following recent large-scale data breaches. Both Vermont and New York recently introduced legislation to push for a more stringent process.
The Vermont House Committee on Commerce and Economic Development announced in November 2017 that it would hold hearings to discuss data privacy and security issues.
Chittenden County Sen. Michael Sirotkin stated at a press conference that he wants Vermont residents to have new legal options should another breach along the lines of Equifax happen again.
“What that means is that consumers will have a private right of action, if this bill passes, where they will be able to get their damages for their time and expense and their attorneys’ fees and the cost of repairing the problem,” Sirotkin said, according to Vermont Public Radio.
New York Attorney General Eric T. Schneiderman introduced the Stop Hacks and Improve Electronic Data Security Act (SHIELD Act), with Senator David Carlucci and Assemblymember Brian Kavanagh sponsoring the bill.
“New York's data breach notification law needs to be updated keep pace with current technology,” reads the bill’s summary. “This bill broadens the scope of information covered under the notification law and updates the notification requirements when there has been a breach of data. It also broadens the definition of a data breach to include an unauthorized person gaining access to information.”