Democrats in the Senate Commerce Committee have reintroduced legislation that carries prison time for corporate executives caught deliberately concealing data breaches like the 2016 incident recently disclosed by Uber.
Sen. Bill Nelson of Florida, the committee’s ranking Democrat, revived his Data Security and Breach Notification Act on Thursday in the wake of Uber disclosing an incident last week that compromised the personal information of 57 million customers 13 months earlier.
The bill requires companies to disclose data breaches within 30 days of discovering them, and a provision states that anyone who intentionally and willfully conceals such a breach faces up to five years imprisonment.
“We need a strong federal law in place to hold companies truly accountable for failing to safeguard data or inform consumers when that information has been stolen by hackers,” Mr. Nelson said in a statement.
“Congress can either take action now to pass this long overdue bill or continue to kowtow to special interests who stand in the way of this commonsense proposal. When it comes to doing what’s best for consumers, the choice is clear,” Mr. Nelson said.
Mr. Nelson sponsored a similar bill in 2014 before introducing the Data Security and Breach Notification Act in 2015. Neither effort proved successful, however, leaving the federal government without nationwide notification standards notwithstanding the onslaught of subsequently security breaches.
This time around his bill has already garnered the support of two fellow members of the chamber’s Commerce Committee: Wisconsin Sen. Tammy Baldwin and Connecticut Sen. Richard Blumenthal, both Democrats.
Uber announced last week that the records of 57 million customers were hacked in October 2016, triggering lawsuits throughout the country and spurring investigations launched by attorneys general in several states.
The popular ride-sharing app has hardly been the only company to take its time acknowledging a breach, however. In September, for example, Equifax disclosed a data breach affecting roughly 145 million Americans 41 days after the fact; in 2016, meanwhile, Yahoo disclosed that 500 million accounts were hacked two years earlier.
“The recent data breaches, from Uber to Equifax, will have profound, long-lasting impacts on the integrity of many Americans’ identities and finances, and it is simply unacceptable that millions of them may still not know that they are at risk, nor understand what they can and should do to help limit the potential damage,” Ms. Baldwin said in her own statement Thursday.
In addition to imposing criminal penalties for companies and executives caught concealing breaches, the revived bill also directs the Federal Trade Commission (FTC) to develop mandatory security standards for business and provide incentives for adopting new, security-minded technologies, Mr. Nelson’s office said in a statement.
The FTC is “closely evaluating the serious issues raised” by the Uber breach, the agency said last week.