A new bill would criminalize not disclosing data breaches, putting company executives on the hook for failing to report when their organizations' data is compromised.
Healthcare organizations already have that responsibility: A covered entity must report to HHS immediately any breach that affects 500 or more people and must report a breach affecting fewer than 500 people by the end of the calendar year. So far this year, there are 270 healthcare breaches under investigation, affecting 4.5 million people, and 42 resolved breaches, affecting 250,881 people, according to the Office for Civil Rights' Breach Portal.
The Senate bill, the Data Security and Breach Notification Act, would require a company to notify its consumers of a data breach within 30 days. If an employee of the company "intentionally and willfully conceals" a data breach, and if that breach causes any person $1,000 in harm or more, the employee could be imprisoned for up to five years, fined, or both.
Sen. Bill Nelson (D-Fla.), Sen. Richard Blumenthal (D-Conn.), and Sen. Tammy Baldwin (D-Wis.) introduced the bill just over a week after Uber announced hackers stole 57 million riders' and drivers' personal information in 2016. After the breach, the ride-sharing giant paid the hackers $100,000 to destroy the information. Earlier this year, Equifax waited 41 days to announce that it had been breached, with hackers exposing more than 145 million people's personal information.
Another, earlier bill, the Data Security and Breach Notification Act of 2014, would have established similar disclosure requirements. That bill fizzled after it was introduced in the Senate.