In the wake of the high-profile breaches at Equifax and Uber, several constituencies have been making a sustained push for a federal data protection and breach statute. Last week, a broad coalition of bank, insurance and retail associations urged Congress to pass national legislation establishing uniform data protection and breach notification standards. In their letter, the organizations stressed that businesses and consumers would benefit from uniform requirements, in contrast to the current regime involving overlapping and sometimes differing State requirements. Among other things, the letter urged Congress to adopt legislation that imposed flexible and scalable standards for data protection depending on the size and nature of the company and exclusive enforcement of the new national standards by the FTC and state Attorneys General (other than entities subject to state insurance regulation or who comply with the Gramm-Leach-Bliley Act and HIPAA).
Meanwhile in the Senate, a new bill was introduced late last year by Democratic Senators Richard Blumenthal (CT), Bill Nelson (FL), and Tammy Baldwin (WI). The proposed legislation would cover all entities that acquire, maintain, or utilize personal information. Among other things, the law would require notification of affected parties within 30 days after the discovery of a breach except in limited circumstances (such as a law enforcement investigation), as well as notification to law enforcement if the breach involves more 10,000 individuals and in certain other circumstances. Notably, the proposed legislation also requires entities to have a security policy regarding the collection, use, sale, dissemination and maintenance of personal information; to identify a point of contact with responsibility for information security; and to regularly monitor for potential breaches and take a proactive approach to vulnerabilities. The bill goes further to require the FTC to promulgate additional data security regulations taking into account the size and nature of different organizations, among other things. The bill also permits civil actions against non-compliant companies to be brought by State Attorneys General.
If an entity is found to have violated the law’s requirements, the bill proposes a series of civil penalties depending on the violation, with a $5,000,000 maximum penalty for a failure to maintain adequate information security or to make proper notifications under the statute. Finally, the bill introduces criminal penalties for persons who seek to actively conceal data breaches. The proposed legislation states that “any person who . . . intentionally and willfully conceals the fact of the breach of security . . . in the event that the breach of security results in economic harm to any individual in the amount of $1,000 or more,” can be imprisoned for up to five years and criminally fined.
The recently introduced bill and lobbying by industry groups shows that we are likely closer to a national cybersecurity regime than we have been at any time in the recent past. Time will tell whether this momentum will finally culminate in a national standard and whether and what federal legislation comes to fruition in 2018.