[BreachExchange] New-But-Old US Bill Introduces Prison Time for Execs Who Conceal Data Breaches

[Destry Winant]

https://www.bleepingcomputer.com/news/security/new-but-old-us-bill-introduces-prison-time-for-execs-who-conceal-data-breaches/

Three US senators have introduced a bill on Thursday that will make it
mandatory for companies to report breaches to customers within 30
days, but also carries fines and possible prison time for execs who
conceal breaches from users and authorities.

The new bill is named the Data Security and Breach Notification Act
and is sponsored by three Democrats —Sen. Bill Nelson (Florida), Sen.
Richard Blumenthal (Connecticut), and Sen. Tammy Baldwin (Wisconsin).

Not the first time senators try to regulate breach disclosure

This is the second time a bill with this name has been introduced.
Four senators, including Nelson, tried to push a previous version of
this bill in 2014, during the Obama administration, but failed to get
the support they needed.

The 2014 bill came shortly after the Target and Neiman Marcus
breaches, and its main objective was to force companies to store data
in a more secure manner and ensure all customers receive breach
notifications in due time.

This new bill comes as a response to the recent Uber debacle, where
the company paid $100,000 as hush money to two hackers to keep quiet
about a security incident that took place in late 2016. The company
came clean about the breach a year later, after a change in
management, revealing that hackers stole details for almost 57 million
drivers and customers.

Execs who hide breaches risk going to prison

The new Data Security and Breach Notification Act includes verbiage
that will fine company execs if they intentionally conceal a breach,
punishing culprits with fines and a prison sentence of up to five
years.

But this is not the bill's main purpose, even if some users would find
comfort that some overly-paid executives will see the inside of a jail
cell if they screw up.

The bill's main purpose is to homogenize data breach notification laws
across US states. Currently, each US state forces companies to
disclose breaches in a different manner, while some states don't even
have such laws in the first place.

The new federal-level Data Security and Breach Notification Act will
require companies to notify customers of security breaches in no more
than 30 days after the breach took place, and also directs the Federal
Trade Commission (FTC) to develop security standards to help
businesses protect consumers' personal and financial data and provide
incentives to businesses who adopt new technologies that make consumer
data unusable or unreadable if stolen during a breach.

"The recent data breaches, from Uber to Equifax, will have profound,
long-lasting impacts on the integrity of many Americans’ identities
and finances, and it is simply unacceptable that millions of them may
still not know that they are at risk, nor understand what they can and
should do to help limit the potential damage," said Senator Baldwin,
one of the bill's co-sponsors.