Equifax Breach Prompts Renewed Calls for National Breach Notification Standard


The proposed national standard would replace a patchwork of 48 state standards for when consumers must be notified about a breach.

Cyber-focused lawmakers are taking advantage of the public outcry over the massive Equifax breach to renew calls for a nationwide standard for when companies must disclose a data breach.

Cybersecurity Caucus Co-founder Rep. Jim Langevin, D-R.I., reintroduced the Personal Data Notification and Protection Act with co-sponsor Rep. Ted Lieu, D-Calif., Monday. The bill would replace a patchwork of 48 different state breach notification standards with a single federal one.

Rep. Shea Porter, D-N.H., also signed on as a co-sponsor Monday and Langevin is seeking more co-sponsors, a spokeswoman said.

» Get the best federal technology news and ideas delivered right to your inbox. Sign up here.

Langevin slammed Equifax in a statement announcing the bill’s introduction, saying the credit rating agency had “done a terrible job communicating about the breach” and left many citizens unsure about whether or not their personal information was compromised.

“This legislation will ensure that any future such breach has a single standard and one federal regulator to help get actionable information to consumers quickly,” Langevin said.

“Congressional inaction on this topic is stymieing breach recovery, and we must act now to ensure Americans are fully informed following a cybersecurity incident,” he added.

The Equifax breach compromised personal information, including social security numbers, of 143 million people, or more than 40 percent of the U.S. population.

The breach has prompted other lawmakers to introduce bills mandating free credit freezes for all Americans and imposing more stringent data security standards on credit brokers.

Langevin’s bill would require companies to notify anyone affected by a breach of “sensitive personal information” within 30 days and task the Federal Trade Commission with helping coordinate that notification.

The bill defines “sensitive personal information” as including nearly any personal information including a person’s name, address, birth date, credit card number, Social Security number or biometric information such as a fingerprint as well as usernames and passwords for websites.

Breached companies could ask the FTC for an extension of that 30-day window if they need more time to assess the scope of the breach or to secure their systems against future breaches, according to the bill text.

The FBI or Secret Service could also delay notification if it would impede a law enforcement investigation.

Similar bills to impose a uniform data breach notification standard failed to pass either house of Congress in 2015. Some of the opposition to those bills came from privacy advocates who worried the bills would weaken stronger notification standards at the state level.

Langevin’s bill would similarly supersede state laws governing data breach notification.

The bill would apply to companies that collect personal information on at least 10,000 people.

Those companies could notify affected people by mail or email. They’d only be allowed to notify by email if the consumer had previously consented to receive email from the breached company, though.

If more than 5,000 people in a single state are affected by a breach, the breached company would also be required to release information about the breach to state or local media most likely to reach those people, according to the bill.

The bill also tasks the Homeland Security Department with keeping a tally of notifications sent out under the new law.