Equifax breach drives legislative push on data privacy

A House bill sets a deadline for companies to notify customers of data breaches and expands categories of data information covered as sensitive.

Shutterstock image (by Robert Adrian Hillman): Abstract design for broken code.

Rep. David Cicilline (D-R.I.) is the latest member of Congress to offer a legislative answer to the growing problem of consumer data breaches. His Consumer Privacy Protection Act, introduced Oct. 19, orders companies to notify consumers if sensitive information has been compromised in a data breach. The bill widens the scope of sensitive information, including not just Social Security and credit card numbers, but also digital photographs and geographical and biometric data.

Like Rep. Jim Langevin's (D-R.I.) September legislation, Cicilline's bill holds companies with access to sensitive data on more than 10,000 customers accountable, giving them 30 days to disclose data breaches involving personal information. If a breach that costs a customer $1,000 or more in "economic harm" is found to have been concealed, the responsible company can expect legal repercussions in the form of a fine or imprisonment.

Currently, 48 states have data breach laws in place. Provisions of Cicilline's bill would supersede any state law deemed "less stringent." The legislation has seven cosponsors, all Democrats. The original version was introduced in 2015.

Since the disclosure of the Equifax breach in September, there has been increased pressure on Capitol Hill to update the laws around consumer data privacy. Many officials agree that there is a need for new consumer privacy laws, but some wonder whether federal notification and national standards alone can fully help consumers mitigate the effects of cyber theft.

At an Oct. 17 Senate Banking Committee hearing, Chris Jaikaran, cybersecurity policy analyst at the Congressional Research Service, said that while a federal notification law would "provide a level of certainty for both businesses and consumers," follow-up remains critical.

"What will consumers be expected to do with that information? Do they just get a letter in the mail saying that their data was compromised and they're on their own? Or is there some recourse that the business or the corporation [must] provide to the consumer?" Jaikaran asked.

Sen. Mike Rounds (R-S.D.) stated while he agreed with the idea of establishing a security standard and "continued surveillance" of credit reporting agencies, more must be done to combat perpetrators of these attacks.

"Until we get down to the point where there are actually consequences for the bad guys involved, we're not going to make the major dent that we have to in terms of cyber theft," Rounds said. "We're focusing on the people who are trying to provide services. We're not focusing on going after the guys who are actually causing the problems for everybody else."