The public may learn of data breaches much more promptly if three senators get their way on a proposed Senate bill, the Data Security and Breach Notification Act, which was introduced on Thursday, Nov. 30. According to the bill, individuals with knowledge of a data breach within their organization would have to report it within 30 days or face up to five years in prison.
Florida Senator Bill Nelson introduced the bill, which was co-sponsored by Connecticut Senator Richard Blumenthal and Wisconsin Senator Tammy Baldwin. Forty-eight states currently have data breach notification laws, but they are inconsistent; the proposed bill would create uniform regulations across the country.
According to CNN, the bill is part of a broader effort to better protect customer data in the wake of several high-stakes, high-profile data breaches that were not reported until months or years after the fact – much too late for consumers to react as they might have liked to safeguard their information.
That can harm consumers’ confidence and make them reluctant to do business, even with organizations that were not part of the reported breach. As the incidents pile up, confidence has nowhere to go but further down. Uber, Yahoo, Equifax, Target, Home Depot – and those are just a few.
In November, the world learned that Uber had been hacked a year earlier, compromising 57 million customers’ and drivers’ data. Not only did Uber not disclose the hack, but its CSO covered up the incident altogether, paying the hackers $100,000 to destroy the stolen information.
In October, Yahoo admitted that every single one of its three billion users had been compromised in history’s biggest data breach ever, which hit the company in 2013 – four years ago. (To be fair, Yahoo did 'fess up about the breach earlier, but only by a year. Its initial disclosure was in September 2016 and stated that only 500 million accounts had been compromised.)
In September, Equifax revealed that it had experienced a cybersecurity incident that put 143 million U.S. customers’ data at risk. That number was later increased to more than 145 million, plus another 15 million in the U.K. The incident in question had taken place months earlier, between May and July.
In May, Target paid $18.5 million to settle claims related to its 2013 holiday season data breach, which compromised 40 million customers’ credit and debit cards.
And in March, Home Depot agreed to pay $25 million to banks that suffered damages as a result of its 2014 breach. That was on top of the $134.5 million to consortiums made up of Visa, Mastercard and assorted banks, and another $19.5 million paid to affected consumers. In total, 56 million payment cards were compromised.
The moral of the story: Bigger is not, apparently, better. If consumers can’t trust these giants with their data, who can they trust? It is a big ask for a company to request a customer’s sensitive information, and many are showing that they can’t handle the responsibility. Unfortunately for the rest, that can ruin it for the whole class.
This proposed bill aims to make things a little better by holding organizations accountable for incidents. Many view cyberattacks as inevitable in this day and age, and it is true that fraudsters are continually getting more inventive as they seek new ways around companies’ defenses.
Introducing regulations may mean that incidents are more likely to get cleaned up rather than swept under the proverbial rug. Of course, after the large-scale attacks outlined above, any such move may be too little, too late – but they won’t know unless they try, right?