Intentionally concealing a data breach could land company executives or employees in jail for up to five years if a proposed federal law comes to pass.
Amid the flurry of high profile data breach hacks of 2017, three U.S. senators introduced the Data Security Breach Notification Act now working its way through the Congressional docket. Similar bills have been introduced before, but the most recent and massive losses of consumer data may have created momentum for imposing jail time on executives for failing to prevent or disclose computer hacks.
California and 47 others states have laws on the books governing required disclosure of data breaches. Federal agencies, such as the FTC have regulations governing data security and breach practices for businesses.
This proposed law stands out because it imposes the potential for federal prison sentences.
Why A Jail Sentence for Failing to Disclose a Data Breach?
The Data breaches at Uber, Equifax, the Republican National Committee, and the CIA dominated the news about cybercrime in 2017, but there were more than a thousand significant data breaches last year. Uber and Equifax were heavily criticized for failure to promptly disclosure the attacks and notify authorities and consumers about its stolen data. The companies’ handling of disclosures to the public prompted regulatory investigations and policy examinations.
Credit bureau, Equifax was the largest data breach in U.S. history, affecting more than 143 million Americans. Names, birth dates, social security numbers, addresses, some driver license numbers and more than 200,000 credit card numbers, and nearly 200,00 other documents containing personal identifying data were stolen.
Equifax waited three weeks to tell their board of directors about the breach, and some 41 days before consumers learned that their personal identity details were in the hands of cyber criminals.
Uber disclosed a year after the fact that hackers had stolen 57 million driver and rider accounts in 2016. In an attempt to conceal the data breach, Uber is accused of paying $100,000 to the hackers to delete the data and to sign a non-disclosure agreement about the stolen data. By demanding the hackers destroy the stolen data, Uber may have violated Federal Trade Commission regulations prohibiting companies from destroying evidence. Uber may also have broken existing California state laws requiring the disclosure of stolen drivers license data.
In hearings in Congress about these cyber attacks lawmakers and regulators expressed concerns about the potential extreme financial and personal consequences for individuals when a data breach occurs; and that company executives have little incentive to act in the best interest of consumers because there were no serious consequences to either the company or its executives to prevent data breaches or to disclose them.
The most recent re-introduction of the Data Security Breach Notification Act late last year in Congress seeks to make companies leaders personally accountable for securing personal data and for informing the public when their details may be in the hands of identity thieves. Currently laws and associated penalties vary by state. Proponents say a national law would create some standards for businesses for protecting personal data and require a nationwide notice when a breach happens protects consumers who do business across state lines.
Major Provisions of the Proposed Data Security and Breach Notification Act
The bill would impose requirements that businesses secure personal data as well as notify each individual whose personal information was (or believed to have been) accessed or stolen.
The major provisions of the current bill include:
- having a security policy regarding the collection, use, dissemination and maintenance of personal data;
- identifying an officer or individual responsible for information security;
- identifying reasonable foreseeable vulnerabilities in computer systems that contain personal information, and monitoring them for breach activity;
- reporting to individuals of a breach of their data within 30 days, unless a federal law enforcement or intelligence agency exempts the company from informing the public.
The bill proposes the FTC establish standards for businesses to follow, while directing the FTC to develop incentives for businesses to make consumer data ”unusable or unreadable if stolen during a breach. “
Penalties Under the Proposed Bill
The new law would impose jail time for up to five years for “intentionally and willfully” concealing a security breach that results in economic harm of $1000 or more to any person.
Various civil penalties could total up to $5,000,000 for a single breach incident under the bill.
The law as currently proposed allows for circumstances in which businesses would have more than 30 days to disclose a data breach, such as proving the organization required additional time to identify exactly which customer data might have been stolen, accessed or lost; or taking preventative measures against further breaches.
David Stein is available to consult with you at no charge on any criminal matter. He is an experienced Orange County criminal attorney, working in all courts. Contact our law offices at (949) 445-0040 today.