New law to compel US businesses to inform users of data breaches

The United States Congress plans to introduce a bill that would push companies to report a breach within 30 days of its occurrence, or else. The law echoes similar efforts in the European Union, which aims to enforce similar regulations next year.

The Consumer Privacy Protection Act, introduced last week by Rep. David Cicilline, orders companies to notify consumers if sensitive information has been compromised in a data breach. The bill deems digital photographs and geographical and biometric data, alongside Social Security and credit card numbers, “sensitive information,” reports FCW magazine, which targets the federal technology sector.

Companies are accountable when they process or have access to sensitive data on more than 10,000 customers. In the case of a data breach, companies have a 30-day window to notify their customers. If a company tries to conceal the breach (provided that it inflicted $1,000 or more in “economic harm” on a customer), the business can be fined and its owners imprisoned.

The widely reported Equifax data breach that compromised the personal information of 143 million US consumers and led to the forced retirement of several executives is said to have been key in prompting Capitol Hill to update the laws around consumer data privacy.

Chris Jaikaran, a cybersecurity policy analyst at the Congressional Research Service, believes the Consumer Privacy Protection Act, as it is currently described, is not enough to ensure that sensitive data gets handled better.

"What will consumers be expected to do with that information?” Jaikaran asked at a Senate Banking Committee hearing last week. “Do they just get a letter in the mail saying that their data was compromised and they're on their own? Or is there some recourse that the business or the corporation [must] provide to the consumer?"

Senator Mike Rounds seemingly agrees.

"Until we get down to the point where there are actually consequences for the bad guys involved, we're not going to make the major dent that we have to in terms of cyber theft," he said. "We're focusing on the people who are trying to provide services. We're not focusing on going after the guys who are actually causing the problems for everybody else."

48 states (out of the 50 that make up the USA) have data breach laws in place, according to FCW.

The European Union’s General Data Protection Regulation (GDPR), going into effect May 2018, stipulates a similar requirement if a company experiences a data breach. The European law, however, states that a company has the duty to report the breach not within 30 days, but within 72 hours of it “learning” of the attack.

In the UK, a similar law is being drafted with the intent to keep the sovereign country on par with EU regulations, both before and after it finally exits the Union in 2019.