Senators Again Propose National Breach Notification Law

A trio of Democratic Senators is attempting to catapult Congress into the information security era by pushing for passage of a U.S. national data breach notification law.

Sen. Bill Nelson of Florida, the top Democrat on the Senate Commerce Committee, on Thursday announced a bill, dubbed the Data Security and Breach Notification Act. Many other similar bills introduced earlier have failed to advance.

The data breach notification measure would give companies a maximum of 30 days to notify victims and authorities after they discover a data breach. The bill also would make it a crime - punishable by up to five years in prison - to knowingly conceal a breach. Nelson's bill is being co-sponsored by two fellow Democratic committee members, Sen. Richard Blumenthal of Connecticut and Tammy Baldwin of Wisconsin. It would not supersede HIPAA's breach notification rule for the healthcare sector or the cybersecurity requirements of the Gramm-Leach-Bliley Act for the financial sector.

"We need a strong federal law in place to hold companies truly accountable for failing to safeguard data or inform consumers when that information has been stolen by hackers," Nelson says. "Congress can either take action now to pass this long overdue bill or continue to kowtow to special interests who stand in the way of this commonsense proposal. When it comes to doing what's best for consumers, the choice is clear."

The bill represents a repeat play by Nelson, who introduced the same legislation last year. This year, however, the proposed legislation comes on the heels of ride-sharing firm Uber on Nov. 21 warning that it suffered a breach that exposed personal information for 57 million of its riders and drivers.

The company concealed the breach for a year. Uber CEO Dara Khosrowshahi, who joined the company in early September, also waited until two months after he first learned of the breach to finally issue the company's data breach notification (see Did Uber Break Breach Notification Minimum-Speed Limits?).

All previous efforts by Congress to enact national breach notification requirements have failed. Not even the massive Equifax breach appears to have swayed the majority of U.S. lawmakers to act (see Cynic's Guide to the Equifax Breach: Nothing Will Change).

Breach Forecast: Bad, Becoming Worse

The data breach forecast is clear: Things are only going to get worse, fueled by cloud services, organizations gathering and storing the maximum amount of people's personal information they can get their hands on - and never deleting it - as well as a widespread "lack of accountability" whenever anything goes wrong, Australian data breach expert Troy Hunt told a House Committee on Energy and Commerce subcommittee at a Thursday hearing (see 2017: 'Year of the Breach' Redux?).

"The industry has created a 'perfect storm' for data exposure," Hunt said. "The rapid emergence of cheap, easily accessible cloud services has accelerated the growth of other online services collecting data. Further to that, the rapidly emerging internet of things is enabling us to digitize all new classes of information, thus exposing them to the risk of a data breach."

States Take Consumer Protection Lead

So far, Congress has failed to pass any law requiring businesses and other organizations to warn consumers when they lose control of people's personal information, except in the case of health data breach notifications, which are required under HIPAA. Otherwise, states have taken up the consumer protection and privacy-safeguarding cause, starting with California in 2003. Since then, 47 other states as well as the District of Columbia, Guam, Puerto Rico and the Virgin Islands have passed some type of breach notification law. Only Alabama and South Dakota lack data breach notification laws (see Delaware Toughens Data Breach Notification Law).

Various Congressional committees have approved data breach notification bills in the past. But Congressional breach notification bills, besides failing to pass, have largely also failed to pass muster with consumer protection experts. Many have been much weaker than laws already in effect in some states, including California and Massachusetts, which prescribe specific information security requirements that all organizations must put in place.

Have I Been Pwned?

Besides notification laws, grassroots efforts have also been instrumental in alerting individuals after their personal details appear to have been compromised. Hunt, for example, runs the free breach notification service Have I Been Pwned, which allows anyone to register their email address. Whenever that email address surfaces in a public data dump, the service automatically emails users to warn them (see Troy Hunt: The Delicate Balance in Data Breach Reporting).

Since launching the service four years ago, Hunt told the House subcommittee, he's logged "more than 250 separate incidents and over 4.8 billion records."

Such notifications, however, may come months or years after the breach occurred (see Yes, I Have Been Pwned).

"There is frequently a long lead-time - sometimes many years - between a data breach and the service owner - and those in the breach - learning of the incident," Hunt told the House subcommittee. "We have no idea of how many incidents have already occurred but are yet to come to light."