Blog Post

The Data Security And Breach Notification Act Would Criminalize Failure To Timely Report Breaches

In response to delayed reporting of major breaches, senators introduced legislation that would subject executives to criminal prosecution for reporting data breaches in an untimely manner. Although nearly all states have data breach notification laws requiring companies to report data breaches, each jurisdiction varies greatly in terms of its requirements and penalties. The proposed federal legislation, entitled the “Data Security and Breach Notification Act,” would mandate companies to report data breaches within 30 days of learning of a breach. Knowingly concealing the existence of a data breach could result in financial penalties, as well as a criminal prosecution that could lead to five years in prison. The driver for this legislation did not come directly from the healthcare sector, although healthcare likely factored into the senators’ consideration.

The legislative sponsors’ opening statement reveals that the main impetus for the legislation was the recent Uber scandal. In that case, hackers obtained data from 57 million consumers and Uber paid the hackers $100,000 in exchange for their silence regarding the breach. Uber did not disclose the breach to the public or regulators for over one year. This scandal followed the massive Equifax hacking scandal that exposed names, social security numbers, and other private data of more than 145 million people. Equifax did not report the breach for over 40 days.

Have Compliance Concerns? We Have Solutions.

Connect with a Compliance Consultant Today

The bill directs the Federal Trade Commission (FTC) to develop new security standards to aid businesses that handle consumers’ personal and financial data, in addition to the criminal penalties for willful failure to act upon data breaches. It would also task the FTC with providing “incentives” to businesses that adopt technology that makes consumer data “unusable or unreadable if stolen” in a data breach. Companies would be required to create procedures for assessing “reasonably foreseeable” vulnerabilities in their systems. Further, they would be required to implement processes for either destroying sensitive consumer data no longer in use or making it “permanently unreadable or indecipherable.”

The Data Security and Breach Notification Act is not the only pending Senate legislation on the subject. The “Data Broker Accountability and Transparency Act” was another bill proposed earlier this year, in response to the Equifax breach. That bill would mandate data brokers to create privacy and security measures for notifying the public after a breach.

Connect with a Compliance Consultant Expert

Strategic Management Services has decades of experience assessing and monitoring compliance programs. If you have questions about how to effectively protect your organizations against data breaches, fill out our online contact form or get in touch with an expert at (703) 683-9600.

Subscribe to blog