We found out last month that Uber paid hackers $100,000 in hush money after they stole 57 million driver and rider accounts in 2016. Then, it zipped its lip on the data breach, failing to inform victimized customers and drivers for more than a year.
There was talk at the time – in our comments section at least – that somebody at Uber should face legal consequences for aiding and abetting the hackers.
You know, the criminal charge isn’t a bad idea. Of course, criminal charges could also potentially be applied to other companies whose executives might have failed to inform customers, regulators and other appropriate authorities about a breach. (Equifax comes to mind, what with its big cluster-muck of a breach, though for what it’s worth, its execs have been cleared of wrongdoing for their impeccably timed, post-breach, pre-notification stock sell-offs.)
Well, those wishing for criminal comeuppance will likely be heartened to know that the US Senate is thinking along similar lines, though more regarding the “failure to notify” transgression rather than on the “aiding and abetting” side.
A Senate bill that would make it a crime – punishable by up to five years in prison – for companies to knowingly conceal a breach of customer information has been re-introduced after failing to pass in 2015.
Senator Bill Nelson (D-FL), the top Democrat on the Senate Commerce Committee, re-introduced the bill on Thursday. He first gave this a go in 2015, when his was one of several bills put forward to protect customers from leaks. Nelson tried to pass the bill, called the Data Security and Breach Notification Act, during the last session.
The 2015 attempt failed when the Senate split over concerns regarding privacy and potential over-regulation. There were good reasons to shoot it down then, and there well might be good reasons to shoot it down this time around.
In April 2015, the Washington Post talked to privacy advocates who said that the then-current version of the bill would leave us worse off, given that it would undercut stronger state laws and kill some federal-level protections.
WashPo quoted Rep. Jan Schakowsky (D-Ill.):
Fifty-one states or territories have some sort of data protection legislation on the books. Thirty-eight would see the data protection breach notification diminished in some way because this is a pre-emption law.
She said that breach notification standards in the 2015 version of the bill hinged on actual or potential financial harms, “although many states have laws with lower thresholds for notification, such as in the event of any unauthorized access or when there is a potential risk to consumers, even if it’s not specifically financial.”
If the name of the bill sounds familiar, it’s because the Data Security and Breach Notification Act has been struggling to crawl out of the primordial legislative ooze for a long time. When senators introduced Senate Bill 3333 – the Data Security and Breach Notification Act of 2012 – it was at least the fourth attempt at passing national legislation in the US to consolidate the more than 40 different state laws that were then in place. The aim was one, single law that would simplify compliance and ensure a more uniform notification process when a breach occurs.
Even that 2012 version was a bit more watered down and less specific than the version President Obama proposed in 2011, but no matter: it didn’t go anywhere.
At any rate, Nelson says it’s high time to hold companies responsible. From his announcement about the 2017 incarnation of the act:
We need a strong federal law in place to hold companies truly accountable for failing to safeguard data or inform consumers when that information has been stolen by hackers. Congress can either take action now to pass this long overdue bill or continue to kowtow to special interests who stand in the way of this commonsense proposal. When it comes to doing what’s best for consumers, the choice is clear.
Besides requiring that companies quickly notify consumers of a data breach and carrying lengthy jail time for those who try to cover up breaches, the legislation also directs the Federal Trade Commission (FTC) to develop strict security standards that businesses would be required to follow to better protect consumers’ personal and financial data. It also offers incentives to businesses that adopt new technologies that make consumer data unusable or unreadable if stolen during a breach.
The bill would further direct the Department of Homeland Security (DHS) to set up a new federal entity to which data breaches would have to be reported if they involve:
- the personal information of more than 10,000 individuals,
- a database containing the personal information of more than 1 million individuals,
- federal government databases, or
- the personal information of federal employees or contractors known to be involved in national security or law enforcement.
The new, designated federal entity would be responsible for notifying a laundy list of other federal agencies:
- US Secret Service
- FBI
- Federal Trade Commission (FTC)
- US Postal Inspection Service, if mail fraud is involved
- Attorneys general of affected states
- Appropriate federal agencies for law enforcement, national security, or data security purposes
Should we hope that the new bill passes?
Maybe – but only if we see a version that improves on the state laws we now have in place. First, make the privacy advocates happy; only then will we wish the legislation godspeed.