Fueled by anger over recent high-profile security breaches, congressional lawmakers on Nov. 30 filed a bill to potentially subject executives at organizations that do not disclose breaches to up to five years of jail time.
Members of the United States Senate Commerce Committee introduced a bill to propose prison sentences for any executives that conceal data breaches that cause any individual to lose more than $1,000. The bill, called the Data Security and Breach Notification Act, would also implement nationwide data breach notification standards, a topic that garnered significant attention during congressional hearings over breaches at Equifax, Yahoo, and Uber.
“We need a strong federal law in place to hold companies truly accountable for failing to safeguard data or inform consumers when that information has been stolen by hackers,” said Sen. Bill Nelson (D-Fla.), who filed a similar bill last session. “Congress can either take action now to pass this long overdue bill or continue to kowtow to special interests who stand in the way of this commonsense proposal. When it comes to doing what’s best for consumers, the choice is clear.”
Signing on to the bill with Nelson, ranking member of the Commerce Committee, were Sens. Richard Blumenthal (D-Conn.) and Tammy Baldwin (D-Wisc.).
The bill calls for “covered entities” to report data breaches within 30 days or “as promptly as possible” if the organization can show that disclosure within 30 days is not feasible. It also calls for the Federal Trade Commission to create security standards for businesses to follow.
“The recent data breaches, from Uber to Equifax, will have profound, long-lasting impacts on the integrity of many Americans’ identities and finances, and it is simply unacceptable that millions of them may still not know that they are at risk, nor understand what they can and should do to help limit the potential damage,” said Sen. Baldwin.