As we near the end of a year that has seen more than its share of massive data breaches, two bills have been introduced (one re-introduced) in the U.S. Senate.
Consumer Privacy Protection Act of 2017: The Consumer Privacy Protection Act of 2017 would set a national standard for implementation of “comprehensive consumer privacy and data security program(s)” by companies which collect and hold data on at least 10,000 Americans. The language includes the by-now typical requirement that the program include “administrative, technical, and physical safeguards appropriate to the size and complexity, and the nature and scope, of the activities of the covered entity.”
The legislation’s coverage extends the usual universe of protected data (Social Security, drivers’ license, and passport numbers, financial account numbers or debit/credit card numbers in combination with a security code or PIN) to online usernames and passwords, unique biometric data such as fingerprints and retina or iris scans, physical and mental health data, geolocation data, and private digital photographs and videos.
The bill would also allow the United States Attorney General, state attorneys general, and the Federal Trade Commission to enforce alleged violations of the breach notification or security rules, which could subject companies to civil penalties of at least $16,500, depending on the number of records that were breached. The bill does not provide for a private right of action.
The legislation would require notification to be made “as expediently as possible and without unreasonable delay following the discovery by the covered entity of a security breach.”
The law would also require companies to provide “five years of appropriate identity theft prevention and mitigation services” at no cost to any individual who asks for it, and prohibits automatic enrollment in the identity theft prevention and mitigation services without their consent.
The text of the bill can be found here.
Data Security and Breach Notification Act: Three U.S. Senators followed the Consumer Privacy Protection Act of 2017 with the re-introduction of a bill called the Data Security and Breach Notification Act in an effort to standardize the current patchwork of state-based breach reporting requirements. The new law would require companies to report a data breach within 30 days, with a penalty of up to five years in prison for knowingly concealing a breach.
With specific requirements breach reporting varying drastically across 48 states, the proposed bill could provide a helpful and appropriate baseline for companies nationwide to follow. In fact, a similar provision already governs the health industry: the HIPAA Breach Notification Rule for health providers and businesses requires that breaches be reported no less than 60 days after detection. While attempts at a nationwide breach reporting law have been proposed in Congress before, and a handful of new bills concerning data breaches has been introduced this year, one has yet to reach a vote. The latest Data Security and Breach Notification Act would apply to companies that use, store, or access sensitive or personally identifying information for more than 10,000 people per year, and outlines several breach notification requirements including the 30-day reporting rule. Companies will need to develop procedures to assess “reasonably foreseeable” system vulnerabilities, as well as methods to destroy or render unreadable consumer data that is no longer being used. The bill also tasks the Federal Trade Commission with establishing new security standards and incentives for businesses to implement technology that makes consumer data “unusable or unreadable if stolen during a breach.”
The proposed bill arrives in the wake of a disastrous wave of data breaches. Most recently, a massive breach at credit monitoring agency Equifax Inc., exposed the sensitive personal and financial information of 145 million Americans. Equifax’s executives waited 41 days to alert the public after discovering the breach, leaving customers unaware that they were at high risk of identity theft or financial compromise (for instance, over 200,000 people have had their credit card information stolen since the breach). Read more about the implications of the Equifax breach at our previous post here. However, ride-sharing company Uber waited even longer – just last month, Uber’s executives finally disclosed that hackers accessed the personal data of 57 million riders and drivers in late 2016. This data included phone numbers, email addresses, names, and drivers’ license numbers. Instead of alerting the public and relevant authorities, Uber paid the hackers $100,000 to keep quiet and destroy the data. Such a response not only violates the breach notification laws of California, where Uber is headquartered, but also perpetuates the dangerous “attacker business model” in which hackers solicit payments to unlock files captured in ransomware attacks.
The provision of a national reporting standard might reduce compliance costs for companies and vendors, who under the status quo must invest time and resources to navigating 48 different state-based reporting laws. The standard would also provide consumers greater certainty in how their data will be managed across the marketplace, regardless of where they are taking their business. At a Congressional hearing with current and former Equifax executives in November, there appeared to be bipartisan agreement that greater protections for personal data must be enacted.