Amid the flurry of high profile data breach hacks of 2017, three U.S. senators introduced the Data Security Breach Notification Act now working its way through the Congressional docket. Similar bills have been introduced before, but the most recent and massive losses of consumer data may have created momentum for imposing jail time on executives for failing to prevent or disclose computer hacks.
California and 47 others states have laws on the books governing required disclosure of data breaches. Federal agencies, such as the FTC have regulations governing data security and breach practices for businesses.
This proposed law stands out because it imposes the potential for federal prison sentences.
The Data breaches at Uber, Equifax, the Republican National Committee, and the CIA dominated the news about cybercrime in 2017, but there were more than a thousand significant data breaches last year. Uber and Equifax were heavily criticized for failure to promptly disclosure the attacks and notify authorities and consumers about its stolen data. The companies’ handling of disclosures to the public prompted regulatory investigations and policy examinations.
Credit bureau, Equifax was the largest data breach in U.S. history, affecting more than 143 million Americans. Names, birth dates, social security numbers, addresses, some driver license numbers and more than 200,000 credit card numbers, and nearly 200,00 other documents containing personal identifying data were stolen.
Equifax waited three weeks to tell their board of directors about the breach, and some 41 days before consumers learned that their personal identity details were in the hands of cyber criminals.
Uber disclosed a year after the fact that hackers had stolen 57 million driver and rider accounts in 2016. In an attempt to conceal the data breach, Uber is accused of paying $100,000 to the hackers to delete the data and to sign a non-disclosure agreement about the stolen data. By demanding the hackers destroy the stolen data, Uber may have violated Federal Trade Commission regulations prohibiting companies from destroying evidence. Uber may also have broken existing California state laws requiring the disclosure of stolen drivers license data.
In hearings in Congress about these cyber attacks lawmakers and regulators expressed concerns about the potential extreme financial and personal consequences for individuals when a data breach occurs; and that company executives have little incentive to act in the best interest of consumers because there were no serious consequences to either the company or its executives to prevent data breaches or to disclose them.
The most recent re-introduction of the Data Security Breach Notification Act late last year in Congress seeks to make companies leaders personally accountable for securing personal data and for informing the public when their details may be in the hands of identity thieves. Currently laws and associated penalties vary by state. Proponents say a national law would create some standards for businesses for protecting personal data and require a nationwide notice when a breach happens protects consumers who do business across state lines.
The bill would impose requirements that businesses secure personal data as well as notify each individual whose personal information was (or believed to have been) accessed or stolen.
The major provisions of the current bill include:
The bill proposes the FTC establish standards for businesses to follow, while directing the FTC to develop incentives for businesses to make consumer data ”unusable or unreadable if stolen during a breach. “
The new law would impose jail time for up to five years for “intentionally and willfully” concealing a security breach that results in economic harm of $1000 or more to any person.
Various civil penalties could total up to $5,000,000 for a single breach incident under the bill.
The law as currently proposed allows for circumstances in which businesses would have more than 30 days to disclose a data breach, such as proving the organization required additional time to identify exactly which customer data might have been stolen, accessed or lost; or taking preventative measures against further breaches.
Jeremy Goldman specializes in defending white collar and business crime in state and federal court. He is a top-ranked attorney with over 20 years of criminal defense and trial experience. He is certified as a specialist in criminal law by the State Bar of California Board of Legal Specialization. Call 949-387-6670 or contact him online here for a no-cost consultation on any criminal matter.
Serving Orange County including Irvine, Laguna Niguel, Tustin, Anaheim, Newport Beach, Costa Mesa, Fountain Valley, Garden Grove, Mission Viejo, Huntington Beach, Santa Ana, Westminster, Fullerton, Aliso Viejo, Buena Park, and Laguna Beach.
OC Criminal Lawyer Disclaimer: The legal information presented on this site should not be construed to be formal legal advice, nor the formation of a lawyer or attorney client relationship. Any results portrayed here were dependent on the facts of a particular legal matter and results vary from case to case. Please contact Attorney Jeremy N. Goldman for a consultation on your particular legal matter. This web site is not intended to solicit clients for matters outside of the State of California.