Proposed Data Breach Notification Law Could Put Executives in Jail
Three Democratic Senators, Richard Blumenthal of Connecticut, Bill Nelson of Florida, and Tammy Baldwin of Wisconsin, introduced legislation that could put executives behind bars if their company does not report data breaches in a timely manner.
The “Data Security and Breach Notification Act” would require companies to notify every U.S. citizen whose personal information could have been affected by a data breach within 30 days of discovering the breach, with some leeway if they need additional time to determine exactly who was affected. If the breached system is maintained by a third-party, that party is required to notify the covered entity immediately.
If more than 5,000 people were affected by the breach, the company must also notify the three major credit reporting agencies.
If an executive knowingly covers up a data breach, they could be sentenced to five years in prison.
“We need a strong federal law in place to hold companies truly accountable for failing to safeguard data or inform consumers when that information has been stolen by hackers,” said Nelson in a statement.
This proposed law comes on the heels of a report that Uber paid hackers a $100,000 ransom to delete the personal information of 57 million customers and drivers after they had stolen it. While the breach took place in 2016, it was just disclosed two weeks ago.
As Uber came under fire here in the United States, worldwide bike share company Obike suffered a breach. Bavarian Radio reported unencrypted personal information, such as names, phone numbers, profile photos, location information, and email addresses, were accessed by reporters on their staff. The Singapore-based company has expanded into Asia, Europe and the United Kingdom, and users in all of these countries were affected.
A spokesperson for Obike told CNET the breach only affected a “small handful” of users, and wanted to reassure customers the app does not store credit card information.