On Thursday, November 30, 2017, three Democratic senators introduced a new bill called the Data Security and Breach Notification Act in the government’s latest effort to strengthen the nation’s cybersecurity. Of note, the bill requires companies to notify customers within 30 days of their discovery of a data breach. It also includes a controversial five-year prison sentence for those found to have concealed the breach. The bill appears to be in response to the recent reports that Uber paid $100,000 to cover up a 2016 breach, which affected approximately 57 million users. It further comes in the wake of the Equifax breach that affected 145 million people.
Despite the severe punishments, the proposed bill is limited in scope. In particular, a company is immune from the scope of the bill where it “reasonably concludes that there is no reasonable risk of identity theft, fraud, or other unlawful conduct.” Moreover, if a breach only compromises the name, address and/or phone number of customers, the bill would be inapplicable. In addition to its punitive elements, the bill also creates incentives for businesses to adopt protective technology, and also directs the Federal Trade Commission to create national standards for protecting consumer data.
Senator Bill Nelson (D-FL), the top Democrat on the Senate Commerce Committee, re-introduced the bill this past week. He first proposed it in 2015, when his was one of several bills put forward to protect customers from breaches. Nelson tried to pass the bill, called the Data Security and Breach Notification Act, during the last session. However, the 2015 attempt failed when the Senate split over concerns regarding privacy and potential over-regulation. Specifically, opponents of the then-current version of the bill opined that it would leave consumers worse off, given that it would undercut stronger state laws and cancel out some federal-level protections
Currently, there is no uniform law, with 48 states each having their own version of a Data Breach Notification statue. The proposed bill seeks to create a national standard for notification to ensure that businesses notify affected individuals of breaches in a timely manner so that they can take steps to protect their personal information. This will also indirectly encourage companies to take necessary steps to protect consumer data. Nevertheless, it remains to be seen whether a federal law regarding cybersecurity will actually be passed as there have been many failed attempts over the last several years.