Data Security and Breach Notification Act Introduced in Senate

The Senate is to vote on a national data breach notification bill – the Data Security and Breach Notification Act – that aims to standardize breach notification requirements across all states. Currently there is a patchwork of data breach notification laws across the United States, each with different reporting requirements. If passed, the Data Security and Breach Notification Act would replace state laws.

While there is a clear need for national standards to ensure all consumers are equally protected regardless of where they live, all previous attempts to introduce nationwide standards for data breach notifications have failed.

The Data Security and Breach Notification Act was introduced by Sen. Bill Nelson (D-FL), with the bill co-sponsored by Sen. Richard Blumenthal (D-CT) and Sen. Tammy Baldwin (D-WI).

Sen. Nelson first introduced the bill in 2015, and introduced a revised version a year later, both of which failed. Announcing the bill, Nelson highlighted the recent Uber data breach, which saw the names, phone numbers, and email addresses of more than 57 million customers and the names and driver’s license details of 600,000 U.S drivers exposed. Uber became aware of the breach in 2016, negotiated with the hackers and paid them $100,000 to destroy the stolen data, and attempted to coverup the breach. Details of the breach were only recently made public.

Following the announcement of the Uber breach, the massive Equifax breach, and other major breaches that have resulted in considerable harm to U.S. consumers, it is hoped that this time around the bill will progress.

Sen. Baldwin said, “The recent data breaches, from Uber to Equifax, will have profound, long-lasting impacts on the integrity of many Americans’ identities and finances, and it is simply unacceptable that millions of them may still not know that they are at risk, nor understand what they can and should do to help limit the potential damage.”

If passed, the Data Security and Breach Notification Act would require notifications of data breaches to be issued to state authorities and breach victims within 30 days of the discovery of a breach.

The breach reporting requirements of the Data Security and Breach Notification Act are tougher than those in most states, as are the penalties for concealing a data breach. Executives of companies that knowingly conceal and fail to report a data breach would face up to five years in jail.

Financial institutions covered by, and in compliance with, the Gramm-Leach-Bliley Act will be deemed to be in compliance with the Data Security and Breach Notification Act, as will organizations that comply with Section 13401 of the Health Information Technology for Economic and Clinical Health (HITECH) Act, or 1173(d) 19 of title XI, part C of the Social Security Act, with respect to data covered by section 13401 of the HITECH Act or the HIPAA Security Rule.

The bill also calls for the Federal Trade Commission (FTC) to develop a new set of security standards that business can follow to help prevent data breaches.

“We need a strong federal law in place to hold companies truly accountable for failing to safeguard data or inform consumers when that information has been stolen by hackers,” said, Sen. Nelson. “Congress can either take action now to pass this long overdue bill or continue to kowtow to special interests who stand in the way of this commonsense proposal.  When it comes to doing what’s best for consumers, the choice is clear.”

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.