(December 4, 2017) On November 30, Senators Bill Nelson (D-FL), Richard Blumenthal (D-CT), and Tammy Baldwin (D-WI) introduced the Data Security and Breach Notification Act, which would require companies notify their customers of data breaches within 30 days of discovery. Additionally, the bill would set a five-year prison sentence for any individual caught concealing a data breach. The bill also directs the Federal Trade Commission to create security standards for the protection of consumers' data and incentivizes companies to adopt technologies that encrypt that data, making it unusable or unreadable if breached.
The bill does include some limitations. For example, it would not apply if a breach is limited to last names, addresses, or phone numbers. Additionally, an incident would not be covered by the bill if the company "reasonably concluded that there is no risk of identity theft, fraud, or other unlawful conduct."
Nelson, the lead sponsor of the legislation, introduced a similar bill last year, but it did not move. As he explained in a statement [https://www.billnelson.senate.gov/media-center/newsroom/nelson-files-bill-requiring-prompt-disclosure-corporate-data-breaches] on the introduction of the current legislation, "We need a strong federal law in place to hold companies truly accountable for failing to safeguard data or inform consumers when that information has been stolen by hackers."
Jen Ortega serves as a consultant to EDUCAUSE on federal policy and government relations. She has worked with EDUCAUSE since 2013 and assists with monitoring legislative and regulatory proposals across a range of policy areas, including cybersecurity, data privacy, e-learning, and accessibility.