A Senate bill has been introduced that could result in up to five years in prison for any person who willfully conceals a data breach. On November 30, 2017, Senators Bill Nelson (Fla.), Richard Blumenthal (Conn.), and Tammy Baldwin (Wis.) introduced the Data Security and Breach Notification Act (the “Act”). Under the forty-four page bill, companies would have to notify consumers within thirty days of discovering a breach. New and costly requirements for companies would also include quarterly provision of a consumer credit report to affected persons for the first two years after a breach and fines of up to $5,000,000. In addition, the bill would grant the Federal Trade Commission (“FTC” or “Commission”) new rule-making authority to promulgate specific data security requirements and to modify the law’s definition of “Personal Information.” The Commission would also have discretion to publicly post breach notices on its website. If passed, the federal law would preempt all states’ data breach notification laws.
The Senators reportedly prepared the legislation in response to Uber’s pay-off of $100,000 to hackers to conceal a breach without informing regulators until over a year later. As the most recent attempt at a national data breach notification law, this bill may gain traction due to the Congressional outcry in response to the recent Equifax data breach. The Senate bill is the latest development in an emerging trend of zero tolerance by regulators for failure to comply with statutory requirements, and heightened scrutiny for actions taken by covered entities in response to security breaches. The bill would apply to a variety of organizations. A “covered entity” is defined broadly in the bill, and entities that would be subject to Sections 2 and 3 of the Act would include those persons, partnerships, or corporations over which the FTC has authority under section 5(a)(2) of the Federal Trade Commission Act (“FTCA”), any entities that opt-in through agreement with the Commission, and notwithstanding sections 4 and 5(a)(2) of the FTCA, any nonprofit organization including 501(c) organizations under the Internal Revenue Code.
The Act directs the Commission to promulgate related regulations within one year. These regulations would require entities that own or possess data containing personal information, or who contract with a third-party entity to maintain or process that data, to establish and implement policies and procedures regarding information security practices for the treatment and protection of personal information. If the bill were passed, the regulations would further prescribe: a security policy for collection, use, sale, other dissemination, and maintenance of personal information; the identification of an officer or other individual as the point of contact with responsibility for the management of information security; processes for identifying and assessing vulnerabilities in each system maintained by the entity, taking preventative and corrective action to mitigate any vulnerabilities, and disposing of data in electronic form containing personal information; and a standard method or methods for making personal information indecipherable.
Unauthorized access to or unauthorized acquisition of protected electronic data would trigger an entity’s obligation to notify affected individuals about the security breach. Only a handful of states currently require an entity to notify affected persons about a security breach in the event of unauthorized access. The Act would require a covered entity to notify within thirty days each individual whose personal information was or is reasonably believed to have been acquired or accessed without authorization as a result of a security breach. The Commission must also be notified, unless an appointed government agency is notified. The Act would also direct the Secretary of the Department of Homeland Security to designate a Federal Government entity to receive notice from breached entities in special situations, including breaches affecting more than 10,000 individuals, the breach of a database or network containing the information of over one million individuals, the breach of Federal Government databases, or the breach of information relating to Federal employees or contractors involved in national security or law enforcement.
These notification requirements would apply even if the information is being held by a system maintained by a third party on behalf of the entity. An entity must also notify each major credit reporting agency if more than 5,000 individuals must be notified. In addition to the notification requirements, the entity must provide, or arrange for the provision of, consumer credit reports to the individual at no cost to the individual. Currently, such provision of consumer credit reports is mandated only under Connecticut state law. An entity must provide the consumer credit report within sixty days, and the individual must receive the reports quarterly for the next two years. However, an entity is exempt from this requirement if the breach involves unauthorized access or acquisition of only the affected individual’s name or phone number and credit or debit card information. In addition, a covered entity is exempt from the requirements if the covered entity “reasonably concludes that there is no reasonable risk of identity theft, fraud, or other unlawful conduct.”
The bill would likely create a more secure and stable environment for the protection of personal information. However, with entity executives on the hook for failing to report when their entity’s data is breached, there will likely be an increase of costs to these entities who will be required to more adequately address compliance with data protection regulations. This new era of heightened accountability and the exercise of strict judgment for corporate and personal behaviors is a large motivation behind the recent regulatory actions against companies that fail to comply with the law. These regulations put an emphasis on transparency by companies who are vulnerable to security breaches.
In light of many recent high profile data breaches and their sometimes messy aftermaths, there is no dark corner in which to hide when it comes to managing a breach response in accordance with legal requirements. Companies should consider these new dynamics when responding to data security incidents and ensure events are handled in a defensible and responsible manner. The stakes for failure are high and extremely unforgiving. For example, if the Senate bill is ultimately signed into law, violations of Section 2 of the Act would result in a civil penalty assessed on the covered entity of $5,000,000 for each violation of the section, and violations of Section 3 would result in a civil penalty assessed on the covered entity of $5,000,000 for all violations of the section resulting from a single breach of security. Penalties of up to $2,000,000 would be assessed on an entity for failure to inform law enforcement. Not to mention the amendment to 18 U.S.C. § 1041, which is the section that would include the criminal penalty that any person who intentionally and willfully conceals the fact of a breach of security may be “imprisoned for… five years,” in addition to being fined.
The Senate proposal, S. 2179, has been referred to the Committee on Commerce, Science, and Transportation. This same committee, along with the Senate Finance Committee, is responsible for the investigation into Uber’s concealment of their data breach. Senators John Thune, Orrin Hatch, Bill Cassidy, and Jerry Moran signed a letter to Uber on November 27, 2017, demanding answers to questions about the data breach. If the Data Security and Breach Notification Act were to pass, it would take effect one year after the date of enactment.