Senator Bill Nelson of Florida has introduced a bill as a result of the Uber disclosure that they forgot to tell 57 million people that their data was breached – for a year – that allows for penalties of up to five years in prison for anyone, such as company executives, who willfully conceals a breach for more than thirty days.
That is a serious incentive to disclose breaches quickly.
Now before anyone cheers or panics, Nelson is a Democrat, so the Republicans will likely kill the bill.
And, even if they don’t, there is a VERRRRY long path between a bill being introduced and the President signing it.
Still, in the light of Uber, it is POSSIBLE that Congress could get off it’s rear end and actually pass some sort of Federal data breach law. The challenge has always been getting something that enough people can agree on.
Over the last several years there have been a couple of attempts to do that, but lobbyists have always gotten bills like this watered down to effectively mean nothing. And the goal of those same lobbyists has always been to preempt strong state laws like California and Massachusetts with much weaker laws. From the states’ point of view, this is a states rights issue and Federal preemption of states rights in this Congress is tricky.
The bill also directs the FTC to develop mandatory security standards for businesses and provide incentives for adopting new security technologies. Color me confused, but five years in prison is a pretty strong motivator for most people.
Still, I presume that the odds of this getting passed are pretty low – but we can be hopeful.
Anyone who thinks that the Uber situation is unusual is being a bit naive, The fact that a breach OF THAT SIZE was concealed for a year is unusual (or at least we think it is), but that a breach was concealed for a year or forever is likely way more common than we would like to believe. Yahoo did not disclose its breach of 3 billion accounts for several years. Equifax did not disclose its breach for 7 months. On the other side of the coin, over 2,200 breaches were disclosed this year.
For publicly traded companies like Yahoo and Uber, the SEC can fine companies for failing to disclose a breach, but I cannot recall any times that they have done that. They may do that in the case of Uber since they have a bad boy reputation and some folks may feel that they need to be taught a lesson – stay tuned on that one.
There is one thing working in favor of a Federal breach law and that is the European Union. You may remember that the U.S. had a law called Safe Harbor which allowed U.S. companies to implement a few controls and say that they were compliant with European privacy laws. The CJEU, the EU’s highest court, struck down that law several years ago saying that it did not effectively protect E.U. resident’s rights. The law was replaced a year ago with something called Privacy Shield. Some say that Privacy Shield is like putting lipstick on a pig, meaning that it is a slightly worked over Safe Harbor, but it just passed an annual review and the E.U. narrowly approved saying that the law was effective at protecting E.U. residents.
But come next May, a new E.U. law, the General Data Protection Regulation comes into force and that places very strict rules on companies – like a requirement to notify people within 72 hours of discovering a breach.
In addition, some folks have taken the Privacy Shield law to court, so it is possible that this new law could get thrown out (technically, the E.U. can’t throw out a U.S. law but they can say that companies that comply with it do not qualify for protecting E.U. residents’ data, which is effectively the same thing).
It is possible that all of the privacy and legal activities in the E.U. could force the U.S. to enact stricter privacy laws. The last thing that U.S. businesses want is to have their ability to move data between the U.S. and the E.U. blocked. If it comes down to that, U.S. businesses may, reluctantly, lobby for a stricter security bill rather than lose their ability to move data between the U.S. and E.U. . We should find out in 2018.
Information for this post came from the Washington Times.