There’s a proposed bill called the Data Security and Breach Notification Act that the Senate will vote on. The purpose of the bill is to standardize the requirements of breach notification across all states. Right now, each state has laws with different reporting requirements. When approved, the Data Security and Breach Notification Act will be enforced instead of the state laws.
Despite the clear need for national standards to protect all consumers in all states, previous attempts of standardizing nationwide data breach notifications have failed. Sen. Bill Nelson (D-FL) introduced the Data Security and Breach Notification Act. It was co-sponsored by Sen. Tammy Baldwin (D-WI) and Sen. Richard Blementhal (D-CT). The bill was first introduced in 2015. Then it was revised a year after. Both versions failed.
Now, the need for the bill is more apparent with the recent Uber data breach. Information such as names, email addresses and phone numbers of over 57 million customers were exposed. In addition, the names and driver’s license details of 600,000 drivers were exposed. When Uber knew about the data breach, the company negotiated and paid the hackers $100,000 to destroy the stolen information. Uber covered up the breach that’s why it was only made public recently. After the publicity of the Uber breach, other major breaches happened including the Equifax breach causing harm to U.S. consumers. Hopefully, this time the bill will be approved.
If approved, the Data Security and Breach Notification Act will implement the rule to notify state authorities and breach victims about a breach within 30 days of its discovery. This is a tougher reporting requirement than what most states impose. The penalty for concealing data breach is also tougher. Company executives who conceal and do not report a data breach can be penalized up to 5 years in jail. A financial institution will be regarded as compliant with the Data Security and Breach Notification Act if it already compliant with the:
- Gramm-Leach-Biley Act
- Section 13401 of the Health Information Technology for Economic and Clinical (HITECH) Act
- 1173(d) 19 of title XI, part C of the Social Security Act
- HIPAA Security Rule
The bill will also need the Federal Trade Commission (FTC) to develop a set of security standards for preventing data breaches that businesses can follow. Congress need to take action now so that companies can be held accountable for failing to keep consumer data safe and give proper notification when hackers have stolen the data.