Three U.S. Senators want executives who conceal data breaches to face jail time.
In the aftermath of the Uber breach, wherein the company reportedly concealed a breach for over a year, the senators introduced legislation on Nov. 30.
Do you think stiffer enforcement and stringent penalties will ensure companies are properly and promptly notifying consumers when their data has been compromised?
Democratic senators have reintroduced the Data Security and Breach Notification Act, which proposes stiff consequences for executives, including up to 5 years in prison, for failing to notify consumers of a breach. As reported in this TechTarget.com story, “The bill also states that a ‘covered entity’ must provide notification to users or customers within 30 days of the discovery of the breach unless a U.S. federal law enforcement or intelligence agency exempts the entity from informing the public.”
Florida Sen. Bill Nelson sponsored the bill, while Connecticut Senator Richard Blumenthal and Wisconsin Senator Tammy Baldwin co-sponsored it.
“We need a strong federal law in place to hold companies truly accountable for failing to safeguard data or inform consumers when that information has been stolen by hackers,” Sen. Nelson (D-FL) said in a statement. “Congress can either take action now to pass this long overdue bill or continue to kowtow to special interests who stand in the way of this commonsense proposal. When it comes to doing what’s best for consumers, the choice is clear.”
The Uber breach, which took place in 2016 but only recently became public, is the impetus for the bill’s reintroduction. In that breach, the names, email addresses, and phone numbers for 57 million customers around the world were exposed, as well as the driver’s license numbers of some 600,000 U.S. Uber drivers. Rather than disclosing the incident when they found out, Uber paid the hackers $100,000 to delete the data and keep the incident quiet, as a Bloomberg story recently detailed.
Nelson first introduced the bill in 2015 and then reintroduced a new version again last year. While some individual states have laws on the books now regarding data breaches, this federal data breach law could replace those.
Some data breach notification laws in other countries are much stricter, like the European Union’s General Data Protection Regulation going into effect in May 2018. Under that law, companies must notify authorities of a data breach within 72 hours.
Are you a small business owner concerned about a data breach? You might think the biggest threat to your company is external but according to the 10th annual Verizon Data Breach Investigation Report, 25 percent of the data breaches they investigated involved internal actors.
Check out our blog post for more information about the four types of employees who could be putting your business at risk. (And read this one for tips on the things you should absolutely train your employees on — like the difference between sensitive and non-sensitive data, proper password hygiene, data encryption, and more.)
The bottom line is every business should have a data breach plan in place. This is where we can help. LibertyID for Small Business prepares you with prevention planning, a crisis response plan and fully managed identity theft restoration for your employees (no matter how their identity is compromised) and for your customers should you experience a data breach. When a data breach happens, our team of specialists goes to work.
Image: Unsplash