Three US senators have introduced a bill on Thursday that will make it mandatory for companies to report breaches to customers within 30 days, but also carries fines and possible prison time for execs who conceal breaches from users and authorities.
The new bill is named the Data Security and Breach Notification Act and is sponsored by three Democrats —Sen. Bill Nelson (Florida), Sen. Richard Blumenthal (Connecticut), and Sen. Tammy Baldwin (Wisconsin).
This is the second time a bill with this name has been introduced. Four senators, including Nelson, tried to push a previous version of this bill in 2014, during the Obama administration, but failed to get the support they needed.
The 2014 bill came shortly after the Target and Neiman Marcus breaches, and its main objective was to force companies to store data in a more secure manner and ensure all customers receive breach notifications in due time.
This new bill comes as a response to the recent Uber debacle, where the company paid $100,000 as hush money to two hackers to keep quiet about a security incident that took place in late 2016. The company came clean about the breach a year later, after a change in management, revealing that hackers stole details for almost 57 million drivers and customers.
The new Data Security and Breach Notification Act includes verbiage that will fine company execs if they intentionally conceal a breach, punishing culprits with fines and a prison sentence of up to five years.
Any person who, having knowledge of a breach of security and of the fact that notification of the breach of security is required under the Data Security and Breach Notification Act, intentionally and willfully conceals the fact of the breach of security, shall, in the event that the breach of security results in economic harm to any individual in the amount of $1,000 or more, be fined under this title, imprisoned for not more than 5 years, or both. [Page 37]
But this is not the bill's main purpose, even if some users would find comfort that some overly-paid executives will see the inside of a jail cell if they screw up.
The bill's main purpose is to homogenize data breach notification laws across US states. Currently, each US state forces companies to disclose breaches in a different manner, while some states don't even have such laws in the first place.
The new federal-level Data Security and Breach Notification Act will require companies to notify customers of security breaches in no more than 30 days after the breach took place, and also directs the Federal Trade Commission (FTC) to develop security standards to help businesses protect consumers' personal and financial data and provide incentives to businesses who adopt new technologies that make consumer data unusable or unreadable if stolen during a breach.
"The recent data breaches, from Uber to Equifax, will have profound, long-lasting impacts on the integrity of many Americans’ identities and finances, and it is simply unacceptable that millions of them may still not know that they are at risk, nor understand what they can and should do to help limit the potential damage," said Senator Baldwin, one of the bill's co-sponsors.