Under a proposed new law, executives who fail to disclose a data breach could soon receive a swift punishment: jail time.
Legislation filed last week in the Senate would impose criminal penalties on executives who neglect to disclose data breaches in a timely manner. The bill, the Data Security and Breach Notification Act, would compel companies to disclose data breaches no later than 30 days after the date they were discovered. Furthermore, individuals who either knowingly or deliberately conceal a breach could face up to five years in prison.
The bill (.PDF) was filed by three Senators, Bill Nelson (D-FL), Richard Blumenthal (D-CT), and Tammy Baldwin (D-WI), last Thursday.
The legislation was largely spurred by Uber’s disclosure last month, shortly before Thanksgiving, that the transportation behemoth paid two hackers to conceal a massive breach of 57 million accounts in 2016. Uber not only paid the hackers $100,000 to cover the breach up, it also had them destroy the stolen data and sign nondisclosure agreements, a sure sign the company wasn’t planning on letting the breach ever see the light of day. Dara Khosrowshani, Uber's CEO, apologized for the breach in a blog post last month and said that he had just recently learned of it.
That hasn't stopped multiple cities and states from filing lawsuits against the company in wake of the announcement. Most of the suits allege Uber violated data breach notification laws already on the books in specific regions, namely Los Angeles, Chicago, Washington state, that require companies to inform residents when their information is put at risk. Nearly every state - along with the District of Columbia, Guam, Puerto Rico and the Virgin Islands - has data breach notification laws in place. Only two states, South Dakota and Alabama, lack such a law.
Section 1041 of the bill, the part that relates to the concealment of breaches, has some conditions. The executive has to have “intentionally and willfully” concealed a data breach. The breach also has to have caused economic harm to an individual in the amount of $1,000. If those conditions are met the bill calls for a fine, imprisonment for no more than five years, or both.
The bill also assumes breaches carry a “reasonable risk of identity theft, fraud, or other unlawful conduct,” otherwise they'd be considered exempt from the bill. If only a last name, address or phone number is leaked, the law wouldn't apply either.
If Uber did demand the hackers destroy the stolen data, it's highly likely the company violated an Federal Trade Commission rule on breach disclosure that mandates companies don’t destroy any forensic evidence over the course of their investigation. It shouldn't come as a surprise then that the breach reportedly ruffled a few feathers with FTC as well. A spokesman with the commission told Reuters shortly after Uber disclosed that it was “closely evaluating” the issues raised.
Nelson said Thursday the bill would direct the FTC to develop standards that businesses would be required to follow in order to better protect consumers' personal and financial data. It would also provide incentives to businesses that adopt technology that makes consumer data unusable or unreadable if stolen during a breach.
As the case with any government legislation, there will be some hurdles to jump. The bill is the third iteration of its kind introduced by Nelson, who filed a similar version of the act in 2015. Nelson is hardly the first poltician to campaign for a data breach notification act. Sen. Pat Toomey (R-PA), Rep. Marsha Blackburn (R-TN), and Mark Pryor (D-AR) have all introduced legislation requiring organizations to implement security measures to protect electronic information against unauthorized access and acquisition over the last decade or so. This bill, like others before it, will likely get funneled down to the Senate's Committee on Commerce, Science, and Transportation, of which Nelson is a ranking member, to be discussed at some point in 2018.
It’s possible, especially in the wake of Uber’s revelations and before it, Equifax’s disclosure that 145.5 million Americans may have had their personal information compromised after hackers breached their systems, Nelson’s latest bill will catch on.
The class action lawsuits against Uber will likely only go so far. Even if the bill doesn’t get passed immediately it’s clear lawmakers, one way or another, are aiming to keep companies accountable for their consumers’ personal and financial data. Sen. Blumenthal, one of the bill's co-sponsored urged the Federal Trade Commission last week to take action against Uber and impose "significant penalties." Baldwin echoed those sentiments Thursday and said the Senate needs to take action and hold these companies liable.
"At a recent Commerce Committee hearing, I asked Equifax executives point blank if they were going to notify every single American affected by the massive data breach that their personal information was hacked," Baldwin said Thursday, "I did not get a straight answer and that’s not acceptable. The Senate needs to take action to hold these companies accountable and require them to notify affected consumers when their personal information has been breached. This legislation will make sure we are doing right by consumers.”
Image copyright: hstocks / 123RF Stock Photo
