Businesses would have to adhere to new customer notification requirements for data breaches under a bill introduced in the Senate on Thursday, and corporate employees could face new criminal penalties for deliberately concealing breaches.
Democratic members of the Senate Commerce, Science and Transportation Committee introduced the Data Security and Breach Notification Act in response to recent reports that Uber concealed a data breach that affected 57 million accounts.
Under the bill, companies would be required to notify customers of data breaches within 30 days. Attempting to conceal data breaches would be a crime punishable by up to five years in prison.
“We need a strong federal law in place to hold companies truly accountable for failing to safeguard data or inform consumers when that info has been stolen by hackers,” U.S. Sen. Bill Nelson (D-FL), the ranking member of the committee and a sponsor of the bill, said. “Congress can either take action now to pass this long overdue bill or continue to kowtow to special interests who stand in the way of this commonsense proposal. When it comes to doing what’s best for consumers, the choice is clear.”
The measure would also direct the Federal Trade Commission (FTC) to establish security standards to help companies protect the personal and financial information of their customers. Businesses would also be incentivized to develop new technologies to make consumer data unusable or unreadable in the event of a breach.
“Only stiffer enforcement and stringent penalties will make sure companies are properly and promptly notifying consumers when their data has been compromised,” U.S. Sen. Richard Blumenthal (D-CT), a member of the committee on a sponsor of the bill, said. “Uber’s stunning announcement of a data breach — made public a year after the fact — is yet another example of corporate carelessness in the face of a cyber intrusion that put their customers and employees’ personal and financial information at risk. American consumers simply deserve better. Our legislation will give the FTC real teeth to hold accountable businesses that refuse to implement reasonable security practices.”
U.S. Sen. Tammy Baldwin (D-WI), another sponsor of the bill, said recent data breaches at Uber and Equifax will have “profound, long-lasting impacts” on the integrity of many Americans identifies and finances.
“At a recent Commerce Committee hearing, I asked Equifax executives point blank if they were going to notify every single American affected by the massive data breach that their personal information was hacked,” Baldwin said. “I did not get a straight answer and that’s not acceptable. The Senate needs to take action to hold these companies accountable and require them to notify affected consumers when their personal information has been breached. This legislation will make sure we are doing right by consumers.”