Insights & Analyses

US Senate bill proposes prison time for execs who conceal data breaches

November 30, 2017

Amidst an ongoing data security crisis, three Democratic members of the U.S. Senate have proposed a new bill that would carry up to five years in jail for company executives found responsible for not disclosing consumer and client data breaches.

Dubbed the Data Security and Breach Notification Act, the bill is cosponsored by Sens. Bill Nelson (D-Fla.), Richard Blumenthal (D-Conn.), and Tammy Baldwin (D-Wisc.). According to Gizmodo, the act would include fines and potential imprisonment for officials who “intentionally and willfully” fail to disclose a data breach.

Not coincidentally, the proposal comes on the heels of rideshare service Uber revealing it paid a $100,000 ransom to hackers to keep them from exploiting 57 million stolen user accounts. The incident occurred in 2016, but officials at Uber who knew about the hack and subsequent payoff failed to disclose it to customers, drivers, or federal authorities.

“Congress can either take action now to pass this long overdue bill, or continue to kowtow to special interests who stand in the way of this commonsense proposal,” Nelson said. “When it comes to doing what’s best for consumers, the choice is clear.”

Another factor for Nelson, Blumenthal and Baldwin was the unprecedented Equifax hack, which exposed Social Security numbers and other personally identifiable information of nearly 150 million Americans. Equifax waited more than a month — 41 days — before informing the public of the massive security breach.

In the wake of hacks like Equifax and Uber, individual states have filed lawsuits against the companies on behalf of their citizens. But the Senate bill would give more power to the federal government to enforce universal standards against corporations.

Notably, the bill includes a “Timeliness of Notification” clause that would require companies to disclose a breach of discovery within 30 days, and to directly inform affected entities in writing or via email.