The Data Security and Breach Notification Act (S2179) was introduced by three Senate Commerce Committee Democrats, Bill Nelson [D-FL], Richard Blumenthal [D-CT] and Tammy Baldwin [D-WI] in the wake of the revelation that Uber hid a breach involving 50,000,000 riders and 7,000,000 drivers for over a year after paying hush-money to the criminals who stole the data.
The bill requires that companies promptly disclose breaches involving information that could expose people to identity theft, and provides for five-year prison sentences for executives of companies that fail to comply. It also directs the FTC to standardize consumer data-protection practices; Nelson says it also "provides incentives to businesses that adopt new technologies that make consumer data unusable or unreadable if stolen during a breach" (that is, strong cryptography, something that Deputy Attorney General Rod Rosenstein has called for a ban on.
Rep. Gerry Connolly, D-Va., told CyberScoop he was hoping for a national standard to evolve among the private sector, but massive breaches like Equifax may force Congress's hand.
Congress doesn't "want to upset the technology community with obtrusive regulation," but the private sector has been poor in instilling confidence that it will act in the public's best interest, he said.
"I think it's headed that way absent some fresh look by industry, a benchmark standard that everybody's accepted voluntarily to meet, so that federal regulation is unnecessary," Connolly told CyberScoop in October. "I think Equifax is a great test of whether industry is capable of meeting that test."
Currently, 48 states have their own data breach notification laws. However, the laws differentiate wildly among each state.
S.2179 – A bill to protect consumers by requiring reasonable security policies and procedures to protect data containing personal information, and to provide for nationwide notice in the event of a breach of security.
[Patrick Howell O'Neill/Cyberscoop]