Sen. Bill Nelson, D-Florida, introduced a bill Thursday that would require all U.S. organizations to notify consumers of data breaches within 30 days and impose criminal penalties on executives who deliberately attempt to conceal the event.
The Data Security and Breach Notification Act would slash the notification timeline for healthcare providers, as HIPAA requirements give providers 60 days to report a breach from the time a security disruption is discovered.
The aim is to homogenize reporting requirements nationwide, as the current system is a patchwork of state requirements.
The legislation comes on the heels of last week’s news that Uber concealed a 2016 data breach impacting 57 million customers. The company purportedly paid hackers $100,000 to keep the incident quiet.
“We need a strong federal law in place to hold companies truly accountable for failing to safeguard data or inform consumers when that information has been stolen by hackers,” Nelson said in a statement.
“Congress can either take action now to pass this long overdue bill or continue to kowtow to special interests who stand in the way of this commonsense proposal, he continued. When it comes to doing what’s best for consumers, the choice is clear.”
If passed, the bill would crack down on executives who attempt to conceal breaches, which will include fines and up to five years in prison -- or both.
The bill also will require the Federal Trade Commission to draft security protocols for uses by all businesses. It would also incentivize organizations that use new technologies to make stolen data unreadable or unusable if stolen during a breach.
In 2014, four senators including Nelson introduced a similar bill. However, it failed to get enough support to give the bill traction. Earlier this year, Sen. Richard Blumenthal, D-Connecticut, who co-sponsored this bill, introduced the Data Broker Accountability and Transparency Act to create clearer rules around data breach disclosures.