Senate Commerce Dems Renew Push to Notify Consumers of Data Breaches

November 30, 2017

WASHINGTON – Three key members of the Senate Commerce Committee filed legislation Thursday that requires companies to quickly notify consumers of data breaches and imposes new criminal penalties for corporate personnel who deliberately conceal breaches.  

The renewed push for congressional action comes on the heels of Uber’s disclosure last week that it concealed from drivers and customers a 2016 data breach affecting 57 million accounts. 

The legislation, sponsored by the committee’s ranking member, Bill Nelson (D-Fla.), along with Sens. Richard Blumenthal (D-Conn.) and Tammy Baldwin (D-Wis.), would require companies to notify consumers of data breaches within 30 days and make it a crime punishable by as much as five years in prison for knowingly concealing them, among other things.  

“We need a strong federal law in place to hold companies truly accountable for failing to safeguard data or inform consumers when that info has been stolen by hackers,” said Nelson.  “Congress can either take action now to pass this long overdue bill or continue to kowtow to special interests who stand in the way of this commonsense proposal.  When it comes to doing what’s best for consumers, the choice is clear.”

“Only stiffer enforcement and stringent penalties will make sure companies are properly and promptly notifying consumers when their data has been compromised,” said Blumenthal.  “Uber’s stunning announcement of a data breach – made public a year after the fact – is yet another example of corporate carelessness in the face of a cyber intrusions that put their customers and employees’ personal and financial information at risk.  American consumers simply deserve better.  Our legislation will give the FTC real teeth to hold accountable businesses that refuse to implement reasonable security practices.”

“The recent data breaches, from Uber to Equifax, will have profound, long-lasting impacts on the integrity of many Americans’ identities and finances, and it is simply unacceptable that millions of them may still not know that they are at risk, nor understand what they can and should do to help limit the potential damage,” said Baldwin.  “At a recent Commerce Committee hearing, I asked Equifax executives point blank if they were going to notify every single American affected by the massive data breach that their personal information was hacked.  I did not get a straight answer and that’s not acceptable.  The Senate needs to take action to hold these companies accountable and require them to notify affected consumers when their personal information has been breached. This legislation will make sure we are doing right by consumers.”

In addition to requiring companies to warn consumers of breaches and imposing jail time for keeping them secret, the legislation also directs the Federal Trade Commission (FTC) to develop security standards to help businesses protect consumers' personal and financial data and provide incentives to businesses who adopt new technologies that make consumer data unusable or unreadable if stolen during a breach.

Nelson and Blumenthal introduced a similar bill in the Senate last year.  

Click here for a copy of the measure the lawmakers filed today.