Companies would be required to take minimum steps to prevent data breaches that expose the personal information of customers and to make timely notifications when breaches occur, under a bill introduced in the Senate on Tuesday.
The Consumer Privacy Protection Act of 2017 would establish baseline privacy protection and data security criteria for seven categories of private consumer information. Those categories include social security numbers, financial accounts, online usernames and passwords, medical information, geolocation data, and digital photos and videos.
U.S. Sen. Edward Markey (D-MA), who introduced the bill with U.S. Sen. Patrick Leahy (D-VT) and five additional senators, said data breaches are “a black cloud” hanging over the country’s “bright economic horizon.”
“Congress must act swiftly to ensure that Americans’ personal and sensitive information is properly safeguarded,” Markey said. “The Consumer Privacy Protection Act requires companies to adhere to strong data security standards and creates penalties for companies that fail to meet them. I thank Sen. Leahy for his leadership on this issue and look forward to working with my colleagues to pass this important legislation.”
Introduction of the bill follows the Equifax data breach that exposed the personal information of nearly half the American public, as well as increasing threats from criminal hackers and foreign powers.
“Companies that profit from our personal information should be obligated to take steps to keep it safe, and to provide notice and protection to consumers when those protections have failed,” Leahy said. “This is a comprehensive program to help ensure that when Americans entrust corporations with their most sensitive personal information, these firms take the right steps to keep it secure and to do the right thing if breaches do occur. In today’s world, data security is no longer just about protecting our identities and our bank accounts; it is about protecting our privacy and even our national security.”
The measure has gained the support of various consumer privacy advocacy organizations, including the Consumer Federation of America and the Center for Democracy & Technology.
“This bill takes the right approach to address our data breach crisis by requiring strong security measures to be implemented from the start, not just notice after a breach has occurred,” Susan Grant, the director of consumer protection privacy at the Consumer Federation of America, said.
Michelle De Mooy, the director of privacy and data at the Center for Democracy & Technology, said data breaches have become “ubiquitous, but they are not inevitable.”
“Enacting common sense legislation to hold companies accountable for their data practices is long overdue,” De Mooy said. “We are pleased to support Sen. Leahy’s bill, which protects both Americans’ personal information and their ability to trust the digital ecosystem.”