Primarily motivated by several recent massive data breaches, Senate Democrats recently introduced a bill geared toward protecting Americans’ personal information against cyber attacks and to ensure timely notification and protection when data is breached.
The Consumer Privacy Protection Act of 2017 provides that companies that collect and hold data on at least 10,000 Americans would be required to implement “a comprehensive consumer privacy and data security program that includes administrative, technical, and physical safeguards appropriate to the size and complexity, and the nature and scope, of the activities of the covered entity.”
The legislation protects broad categories of data, including: Social Security, drivers’ license, and passport numbers, financial account numbers or debit/credit card numbers in combination with a security code or PIN, online usernames and passwords, unique biometric data such as fingerprints and retina or iris scans, physical and mental health data, geolocation data, and private digital photographs and videos.
The bill would also allow the United States Attorney General, state attorneys general, and the Federal Trade Commission to enforce alleged violations of the breach notification or security rules, which could subject companies to civil penalties of at least $16,500, depending on the number of records that were breached. The bill does not provide for a private right of action.
The legislation would require notification to be made “as expediently as possible and without unreasonable delay following the discovery by the covered entity of a security breach.”
The law would also require companies to provide “five years of appropriate identity theft prevention and mitigation services” at no cost to any individual who asks for it, and prohibits automatic enrollment in the identity theft prevention and mitigation services without their consent.
The text of the bill can be found here.
It is worth noting that shortly following the introduction of the Consumer Privacy Protection Act, three Democrat senators introduced the Data Security and Breach Notification Act that would require companies to report data breaches within 30 days of becoming aware of a breach. An individual who conceals a data breach could face a penalty of up to five years in prison. This bill comes on the heels of Uber’s recent data breach announcement that hackers stole 57 million records in 2016, and that Uber paid the hackers $100,000 to destroy the documents.
We will continue to report on the status of these bills and other legislative proposals for heightened data security at the federal level, in light of the massive data breaches of late, as developments unfold.