Following the scandalous Uber data breach in 2017, a group of Democratic Senators is trying to modernize US information security laws. What they propose is a new set of laws which would criminalize non-disclosure of data breaches. Currently, companies don’t need to notify law enforcement (or, worryingly, customers) when a data breach occurs, and these new laws would force executives to disclose all relevant information. Failure to comply could result in criminal sanctions, including jail time. The new laws are designed to protect victims and consumers and encourage companies to tighten their security – which could have a huge effect on you.
In 2016, hackers infiltrated Uber’s database and stole huge amounts of information. It’s estimated that the names, email addresses, and phone numbers of close to an eye-watering 60 million users were stolen. Also, almost one-million drivers working for the firm had their ID numbers and license information exposed. Rather than inform victims, the ride-sharing company decided to pay the hackers a ransom: the cybercriminals were paid approximately $100,000 to delete the data and were told not to tell the public about the breach.
In October 2107, Pizza Hut’s website and app were hacked and the personal information of many customers was compromised, with suspicions that the hackers stole the payment details of thousands of customers. Yet, rather than report this as soon as possible, Pizza Hut waited a staggering two weeks before notifying customers about the breach.
Perhaps the most infamous breach in recent history was the 2013 Yahoo data hack. Over three-billion accounts were affected and Yahoo waited three years before revealing any details regarding the breach. The hackers, who are yet to be caught, put the information up for sale on the dark web.
Another data breach recently in the news was the Equifax fiasco. On September 7, 2017, the consumer credit service reported it had been targeted by hackers and close to 150 million of its customers were victims of identity theft. Customers were informed that their Social Security Number, drivers license information, address, and other sensitive data had been stolen by cybercriminals. The company did not report the attack for several months, leading to widespread criticism from consumers and the media. Equifax claimed that it needed time to figure out how many accounts had been hacked and what information was stolen.
These are just a few examples of the dozens of large-scale data breaches, and rarely (if ever) do the companies involved own up and inform the victims. As a result, a trio of senators has proposed a new bill which would force company executives to publicize data breaches as soon as they occur. The proposed bill is known as the Data Security and Breach Notification Act and is sponsored by three Democrat senators – Sen. Bill Nelson (D-FL), Sen. Richard Blumenthal (D-CT), and Sen. Tammy Baldwin (D-WI).
The new data breach laws would make it a crime, punishable by up to five years in jail, to not report data breaches. The goal of the law is to protect consumers. It goes unsaid that people whose identity, online accounts or payment information is stolen should be informed as soon as possible. This would allow them to take the necessary steps to protect themselves from further harm.
Advantages of the New Data Breach Laws
The positive factors behind the new laws are simple: they allow consumers the utmost personal protection and empower them to protect their information. Currently, each state has its own laws regarding data breaches, and a single Federal law would do a far better job of protecting consumers – as it well should.
Also, consumers would know to steer clear of a company with a reputation for lax security. Allowing companies to conceal data breaches not only leaves consumers open to hacking risks but also means that consumers are unaware that their data is unsafe. Forcing companies to publicize the details of a hack will encourage them to take extra steps to secure their databases.
The proposed data breach laws also incentivize businesses to adopt new technologies which make consumer data unreadable if stolen. The new legislation also directs the Federal Trade Commission (FTC) to implement security standards that better protect consumers’ personal and financial data.
Will it Really Help?
Many consumer protection experts have welcomed the new proposal, and it seems to be a sensible and much-needed piece of legislation. However, there are critics of the new plan who say it won’t actually resolve the situation.
The critics contend that company executives may choose to downgrade their security measures. The new laws only punish executives who conceal a data breach, but, with less security in place, these executives are then less likely to know about it themselves.
Instead, critics suggest that the government should encourage more encryption and fewer data retention laws. The NSA and other agencies hoard personal information which can end up being leaked and exposed. Instead of shifting the blame onto companies, the government should look inward, and encourage businesses to invest in stronger encryption technology, even it the NSA themselves can no longer spy on individual citizens.
Some have stated that the scope of the law is too limited. Companies aren’t liable if last names, addresses, or phone numbers are stolen in a data breach. Also, if there’s no reasonable risk of identity theft or fraud, executives will not be charged. Critics of the new laws say that these limitations are too broad, and companies will fight charges by claiming there was no risk of fraud.
One thing is certain; things will only get worse. As more companies invest in cloud services and other means of online storage, more hackers will try to steal information. There are entire organizations devoted to hacking databases and stealing people’s identities and payment information. This new bill may well prevent leaks and force companies to fix their cybersecurity problems….or, it may achieve nothing, apart from giving work to a generation of lawyers: only time will tell.