igor - Fotolia
Democratic senators have re-introduced the Data Security and Breach Notification Act that proposes severe consequences for enterprise executives, including jail time, for failing to notify consumers of a breach.
The proposed data breach legislation would make the willful concealment of a breach a crime that is punishable by up to five years in prison. The bill also states that a "covered entity" must provide notification to users or customers within 30 days of the discovery of the breach unless a U.S. federal law enforcement or intelligence agency exempts the entity from informing the public. The data breach legislation also provides some wiggle room for the notification deadline in order for enterprises "to accurately identify affected consumers; to prevent further breach or unauthorized disclosures; or to reasonably restore the integrity of the data system," according to the bill.
"We need a strong federal law in place to hold companies truly accountable for failing to safeguard data or inform consumers when that information has been stolen by hackers," said Sen. Bill Nelson (D-FL), who sponsored the bill, in a statement. "Congress can either take action now to pass this long overdue bill or continue to kowtow to special interests who stand in the way of this commonsense proposal. When it comes to doing what's best for consumers, the choice is clear."
Nelson's statement cited the 2016 Uber data breach, which was concealed by company officials and only recently made public. The breach exposed the names, email addresses and phone numbers for 57 million worldwide customers as well as the names and driver's license numbers of 600,000 U.S. drivers.
Nelson first introduced the Data Security and Breach Notification Act in 2015 and introduced another version of the bill last year as well. The current version is co-sponsored by Sen. Richard Blumenthal (D-CT) and Sen. Tammy Baldwin (D-WI).
The proposed data breach legislation includes a provision that requires the Federal Trade Commission to develop new information security standards for businesses to adhere to in order to prevent breaches.
A federal data breach law could potentially replace individual state laws such California's SB-46 data breach notification statute. Enterprises, however, would still have to contend with the data breach notification laws in other countries, which in some cases are much stricter. For example, the European Union's General Data Protection Regulation will require companies to notify authorities of a data breach within 72 hours when the law goes into effect in May.