Rep. Jim Langevin (D-R.I.) reintroduced a bill establishing a national breach notification law on Monday.
“There is much still to learn about the Equifax breach and its ramifications, what is abundantly clear, however, is that consumers are still not sure whether they were affected and what information was stolen,” Langevin said in a press release announcing the reintroduction of the Personal Data Notification and Protection Act, considered an Obama administration priority when it was introduced in 2015.
“Equifax has done a terrible job communicating about the breach to date, and this legislation will ensure that any future such breach has a single standard and one federal regulator to help get actionable information to consumers quickly," Langevin continued.
The laws designating how businesses must react after a data breach currently vary wildly from state to state. Forty-eight states, plus Washington, D.C., and Puerto Rico, have individual rules concerning what a vendor must tell their citizens if personal information accessed on a breached server. No such laws exist in Alabama and South Dakota.
State laws cover the citizen whose data was breached; for example, a Californian whose data is stolen from an Alabama server is protected by the California law.
Langevin's bill will make all states abide by the same standard, giving companies 30 days to notify all victims of a breach and requiring companies to coordinate notifications with the Federal Trade Commission.
“Americans put a lot of trust in companies by giving them personal and private information, and they should have confidence that their data is secure," said Langevin.
"While I do not believe that breach notification is the only legislative response required following Equifax, it is an important first step in building accountability and protecting consumers.”