Close
  • Latest News
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Menu
Search
  • Latest News
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cybersecurity
    • Cybersecurity

    Senate Bill Proposes Prison Time for Failure to Report Data Breaches

    By
    Wayne Rash
    -
    December 2, 2017
    Share
    Facebook
    Twitter
    Linkedin
      cloud security

      If a new Senate bill introduced on Nov. 30 is passed by the Senate and the House of Representatives, the failure to report a breach in a timely manner could land the people who knew about it in prison for as long as five years.

      The new bill, the “Data Security and Breach Notification Act,” introduced by Senator Bill Nelson (D-FL) along with Senators Richard Blumenthal (D-CT) and Tammy Baldwin (D-WI), covers a wide range of topics involving the protection and destruction of data containing personal information. It also puts the Federal Trade Commission in charge of enforcing penalties for data breaches.

      After the Senate returns to work after dealing with the current tax bill, the proposed breach notification act will likely be officially passed along to the Senate Commerce Committee. Effectively, it’s already there, since Sen. Nelson is the ranking member of the committee. But since it’s just been introduced, it’s too early for hearings to be scheduled.

      Besides to imposing significant penalties for the failure to report a breach, the bill contains provisions controlling how personal information, including names, social security and credit card numbers, must be protected. The bill also exempts organizations from the worst penalties if a data breach occurs if they protected customer data from exposure and use in identify theft scams by enforcing adequate data encryption.

      Once the bill becomes law, it requires the FTC to develop and promulgate regulations to require affected organizations to “establish and implement policies and procedures regarding information security practices for the treatment and protection of personal information.” The policies and procedures must take into account the type of activity, the state of the art, the cost and the impact on small business.

      In addition, the law will require organizations to determine who is responsible for establishing and enforcing information security practices, maintaining processes for preventative and corrective action, and for safely disposing of unneeded data in both electronic and paper form. There are exemptions for organizations covered by other federal laws such as financial institutions and in the health care industry.

      Another section of the bill requires organizations to notify the FTC and the people who are affected within 30 days from when the breach was discovered. There are differences in how the notification is handled depending on whether the breach was at the affected organization or whether it was data being held by a third party, but in either case the notification and data protection requirements are the same. The only change is that the notification is required within 30 days of when the organization whose data was breached finds out about it.

      As you’d expect there are exceptions, primarily to avoid interfering with a federal investigation. There’s also a provision for the U.S. Secret Service and the Federal Bureau of Investigation to request a delay from the Department of Homeland security, provided it can be justified.

      In addition to notifying the people who have had their data compromised, the organization that had their data breached must notify the major credit reporting agencies and it must make credit monitoring services available for free to people who have had their data breached.

      The bill also explicitly covers the manner in which the people affected by the breach would be notified. Those methods include email and website notification as well as by postal mail. The bill also allows the FTC to post a notice on its website.

      The bill would allow state law enforcement bodies to take action for breaches that happen in their jurisdictions allow for coordination among law enforcement agencies.

      It’s also worth noting that the bill would require organizations to have remediation plans in place, and to tell people with data that was breached what those plans are.

      Now that the bill has been introduced, the biggest question is whether it has any chance for passage. The three original sponsors are all Democrats, which in the current political environment would mean that it’s doomed. However, the bill is not political in nature and the Senate Commerce Committee has already announced that it’s going to be holding hearings on the Uber breach and the resulting delay in notification.

      In addition, a spokesperson for the Committee told eWEEK in an email that Sen. Nelson and others will be reaching out to the Republican majority for support and co-sponsorship. Considering the non-partisan nature of the bill, and prominence of the Uber revelations, it would seem that there’s a better chance than usual that this bill will get a fair hearing and have a chance for passage in the Senate.

      However, there is no companion bill in the House, but there doesn’t need to be as long as the bill remains non-partisan and as long as it appears to be needed. But remember, nothing is assured in Congress.

      If that happens, it would be too bad. The bill is very well thought-out and it’s something that’s badly needed. Right now, breach notifications are controlled by a patchwork of state and local rules, but without a formal national requirement. Considering the borderless nature of the internet this situation has to change.

      Wayne Rash
      https://www.eweek.com/author/wayne-rash/
      Wayne Rash is a freelance writer and editor with a 35-year history covering technology. He’s a frequent speaker on business, technology issues and enterprise computing. He is the author of five books, including his most recent, "Politics on the Nets." Rash is a former Executive Editor of eWEEK and a former analyst in the eWEEK Test Center. He was also an analyst in the InfoWorld Test Center and editor of InternetWeek. He's a retired naval officer, a former principal at American Management Systems and a long-time columnist for Byte Magazine.

      MOST POPULAR ARTICLES

      Android

      Samsung Galaxy XCover Pro: Durability for Tough...

      Chris Preimesberger - December 5, 2020 0
      Have you ever dropped your phone, winced and felt the pain as it hit the sidewalk? Either the screen splintered like a windshield being...
      Read more
      Cloud

      Why Data Security Will Face Even Harsher...

      Chris Preimesberger - December 1, 2020 0
      Who would know more about details of the hacking process than an actual former career hacker? And who wants to understand all they can...
      Read more
      Cybersecurity

      How Veritas Is Shining a Light Into...

      eWEEK EDITORS - September 25, 2020 0
      Protecting data has always been one of the most important tasks in all of IT, yet as more companies become data companies at the...
      Read more
      Big Data and Analytics

      How NVIDIA A100 Station Brings Data Center...

      Zeus Kerravala - November 18, 2020 0
      There’s little debate that graphics processor unit manufacturer NVIDIA is the de facto standard when it comes to providing silicon to power machine learning...
      Read more
      Apple

      Why iPhone 12 Pro Makes Sense for...

      Wayne Rash - November 26, 2020 0
      If you’ve been watching the Apple commercials for the past three weeks, you already know what the company thinks will happen if you buy...
      Read more

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2021 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×