Senate bill would criminalize failure to report data breaches
- A bill introduced in the Senate would require companies to promptly report data breaches and hold executives criminally accountable if they fail to do so.
- The Data Security and Breach Notification Act — filed by Democratic Sens. Bill Nelson (Fla.), Richard Blumenthal (Conn.) and Tammy Baldwin (Wis.) — was introduced on the heels of Uber’s revelation that hackers had stolen personal information on 57 million drivers and riders in 2016. The ride-share company paid the hackers $100,000 to destroy the data, but did not inform regulators of the breach until the end of last month.
- Under the bill, companies would have to notify consumers within 30 days of discovering a breach occurring. Any employee who willfully conceals a breach could be sentenced to up to five years in prison.
The bill also calls for the Federal Trade Commission to establish regulations requiring businesses to implement policies and procedures on information security practices and to develop security standards for companies to follow to improve data protections.
This summer, consumer credit reporting agency Equifax waited more than a month to report a breach that exposed personal information of 145 million people.
“We need a strong federal law in place to hold companies truly accountable for failing to safeguard data or inform consumers when that information has been stolen by hackers,” Nelson said in a statement. “Congress can either take action now to pass this long overdue bill or continue to kowtow to special interests who stand in the way of this commonsense proposal.”
Under HIPAA, healthcare organizations are already having that responsibility. Covered entities must inform HHS immediately of any breach affecting 500 people or more and must report smaller breaches by the end of the calendar year. Since the January, the Office for Civil Rights has investigated 270 healthcare breaches affecting 4.5 million people.
Last year, OCR directed its regional offices to step up investigations of smaller breaches. While regional offices would retain discretion to prioritize which smaller breaches to pursue, they should consider the size of the breach, whether unencrypted personal data was stolen or improperly disposed of and whether the organization had reported previous breaches.
Data breaches and ransomware attacks have been a recurring problem in healthcare. In February, Verity Health notified more than 9,000 people that their personal information was possibly breached by an unauthorized third party. Then in May, a massive global cyber attack disrupted businesses in 104 countries, including many hospitals in the UK where routine services were suspended.
A June report by the Health Care Industry Cybersecurity Task Force declared that healthcare cybersecurity is in “critical condition” and called on federal government to take a stronger lead in helping organizations strengthen cybersecurity. The report also said federal requirements affecting cybersecurity should be streamlined and harmonized to enhance organizations’ effort to repel attacks.
The Senate proposal, S.2179, has been referred to the Committee on Commerce, Science, and Transportation.
- Modern Healthcare New bill would require corporate disclosure of data breaches
- Healthcare Informatics Senators Introduce Data Breach Disclosure Legislation