As we near the end of a year that has seen more than its share of massive data breaches, two bills have been introduced (one re-introduced) in the U.S. Senate.
Consumer Privacy Protection Act of 2017: The Consumer Privacy Protection Act of 2017 would set a national standard for implementation of "comprehensive consumer privacy and data security program(s)" by companies which collect and hold data on at least 10,000 Americans. The language includes the by-now typical requirement that the program include "administrative, technical, and physical safeguards appropriate to the size and complexity, and the nature and scope, of the activities of the covered entity."
Data Security and Breach Notification Act: Three U.S. Senators followed the Consumer Privacy Protection Act of 2017 with the re-introduction of a bill called the Data Security and Breach Notification Act in an effort to standardize the current patchwork of state-based breach reporting requirements. The new law would require companies to report a data breach within 30 days, with a penalty of up to five years in prison for knowingly concealing a breach.
With specific requirements breach reporting varying drastically across 48 states, the proposed bill could provide a helpful and appropriate baseline for companies nationwide to follow. In fact, a similar provision already governs the health industry: the HIPAA Breach Notification Rule for health providers and businesses requires that breaches be reported no less than 60 days after detection. While attempts at a nationwide breach reporting law have been proposed in Congress before, and a handful of new bills concerning data breaches has been introduced this year, one has yet to reach a vote. The latest Data Security and Breach Notification Act would apply to companies that use, store, or access sensitive or personally identifying information for more than 10,000 people per year, and outlines several breach notification requirements including the 30-day reporting rule. Companies will need to develop procedures to assess “reasonably foreseeable” system vulnerabilities, as well as methods to destroy or render unreadable consumer data that is no longer being used. The bill also tasks the Federal Trade Commission with establishing new security standards and incentives for businesses to implement technology that makes consumer data “unusable or unreadable if stolen during a breach.”
The proposed bill arrives in the wake of a disastrous wave of data breaches. Most recently, a massive breach at credit monitoring agency Equifax Inc., exposed the sensitive personal and financial information of 145 million Americans. Equifax’s executives waited 41 days to alert the public after discovering the breach, leaving customers unaware that they were at high risk of identity theft or financial compromise (for instance, over 200,000 people have had their credit card information stolen since the breach). Read more about the implications of the Equifax breach at our previous post here. However, ride-sharing company Uber waited even longer – just last month, Uber’s executives finally disclosed that hackers accessed the personal data of 57 million riders and drivers in late 2016. This data included phone numbers, email addresses, names, and drivers’ license numbers. Instead of alerting the public and relevant authorities, Uber paid the hackers $100,000 to keep quiet and destroy the data. Such a response not only violates the breach notification laws of California, where Uber is headquartered, but also perpetuates the dangerous “attacker business model” in which hackers solicit payments to unlock files captured in ransomware attacks.
The provision of a national reporting standard might reduce compliance costs for companies and vendors, who under the status quo must invest time and resources to navigating 48 different state-based reporting laws. The standard would also provide consumers greater certainty in how their data will be managed across the marketplace, regardless of where they are taking their business. At a Congressional hearing with current and former Equifax executives in November, there appeared to be bipartisan agreement that greater protections for personal data must be enacted.