New Blumenthal bill would require firms to beef up security and privacy practices

Sen. Richard Blumenthal (D-Conn.) introduced a new bill Thursday aimed at protecting consumers by punishing businesses, individuals and data brokers that misuse or fail to protect their data.

The Personal Data Protection and Breach Accountability Act would require businesses with the personal information of more than 10,000 customers to implement privacy and security programs to ensure the safety of pertinent data.

ADVERTISEMENT
That includes regular testing of key controls and systems to prevent and respond to intrusions or attacks, with a frequency depending on a risk assessment also required by the law. Companies that allow a user’s data to be breached must foot the bill for two years of credit monitoring and other remedies.

“Many of these breaches are preventable,” Blumenthal told The Hill on Thursday.

“The main cost of a breach should be on the company” responsible for safeguarding the data, he added.

The Justice Department will be able to fine firms that violate the law $5,000 per violation per day, with a maximum of $20 million per violation. Individuals affected by violations of the law will also have the ability to bring civil actions against the businesses involved.

The bill also includes a data breach notification provision that is designed to amalgamate the patchwork of state laws that currently apply in the event of an attack. The bill would also require any agency or business that stores or collects personal data to notify consumers if their data has been breached “without unreasonable delay” following the discovery of the breach.

The law avoids laying out a specific time limit, placing the burden on firms to provide authorities with evidence of the notifications and the reasons for any delay.

Citing his experience prosecuting such cases as Connecticut’s attorney general, Blumenthal wants firms pressured to notify consumers as possible. Just how quickly that is depends on the circumstances of the attack, the size of the company involved and the data at risk.

“The amount of time should be measured in hours, not days, at most in days, not weeks,” Blumenthal said. “I’d rather not set an outer boundary that becomes the norm.”

The legislation also increases the criminal penalties for identity theft and other crimes such as concealing a security breach involving sensitive personal data or installing a data collection program on someone’s computer.

Finally, the legislation attempts to regulate the practices of data brokers, firms that collect the personal information of more than 5,000 individuals that are not direct consumers. The legislation would give consumers the ability to see their own records for a reasonable fee and request timely corrections to their data.

This post was updated at 5:00 p.m.