Lawmakers Add 48-Hour Rule to Data Breach Notification Bills

U.S. Sens. Jay Rockefeller and Mark Pryor joined U.S. Rep. Mary Bono Mack in filing legislation that requires companies to notify customers about data breaches within 48 hours of when an incident assessment is completed.

Two draft versions of data breach bills were introduced in Congress: one by U.S. Rep. Mary Bono Mack, R-Calif., and the other by Sens. John Rockefeller, D-W.Va., chair of the Senate Commerce Committee, and Sen. Mark Pryor, D-Ark.

The Bono Mack draft bill would require companies to notify the Federal Trade Commission and law enforcement within 48 hours and to begin notifying customers within 48 hours of when an incident assessment is completed, Bono Mack said June 15. The Rockefeller-Pryor bill, introduced the same day, would also require companies to safeguard sensitive data and inform customers in a timely manner in the case of a breach.

"If companies are going to collect and store consumers' personal information, safeguarding that information should be priority No. 1," said Pryor, noting that many companies have recently been hacked. "We need to pass strong security and notification standards before this problem spins further out of control," Pryor said.

The bills come shortly after lawmakers and consumers bitterly berated Sony for taking so long to disclose a massive data breach in its PlayStation Network and related entertainment sites. Recent reports revealed that Citigroup also sat upon a data breach incident for at least three weeks.

At the House hearing, other lawmakers expressed concern that allowing companies to wait until the assessment is complete would result in stalling tactics. Mack said she is willing to discuss a certain "drop-dead" time, such as 60 days, within which companies have to report the breach. Organizations being too slow would face penalties from the Federal Trade Commission.

The Bono Mack bill could result in scenarios similar to what happened to Sony. Rep. Henry Waxman, D-Calif., noted that if this bill were law, Sony would still not be required to notify customers about the breach, since it is still in the process of assessing the data breach. Sony was hacked in mid-April.

Bono Mack, chairman of the House Subcommittee on Commerce, Manufacturing and Trade, called her bill "our opening shot." Her Secure and Fortify Electronic Data bill closely tracks the bills from Energy and Commerce committees, but the class of companies subject to the law is much wider, including third-party data holders such as "contracted cloud providers." Bono Mack also gave the FTC authority over nonprofit organizations, noting that they often posses "a tremendous amount" of consumer information.

Under the rule, companies would be required to erase personal data as soon as it's not being used, eliminating the possibility of having it stolen in an attack. Companies would not have to notify law enforcement of the intrusion within 48 hours if the breach "is determined to be inadvertent" or would be unlikely to "result in harm," according to the draft.

"The consequences of data breaches can be grave: identity theft, depleted savings accounts, a ruined credit score, and trouble getting loans for cars, homes and children's education," said Rockefeller.

The Rockefeller-Pryor bill would require businesses that store personal information to establish reasonable security policies and procedures to protect data.

"Companies that maintain vast amounts of consumer information need to have effective safeguards in place to keep sensitive consumer information secure," Rockefeller said.