Congress

House Dem revives data breach bill after Equifax hack

Shutterstock image (by Sergey Nivens): Security concept, lock on a digital screen. 

On Sept. 18, Rep. Jim Langevin (D-R.I.) reintroduced legislation to establish national standards for informing consumers when their data has been hacked or breached. The Personal Data Notification and Protection Act of 2017 would require companies that use, store or access sensitive or personally identifying information for more than 10,000 people per year to notify their customers within 30 days of discovering a breach. The legislation would also designate the Federal Trade Commission as the government's coordinating agency to ensure a company's customers are properly notified.

"There is much still to learn about the Equifax breach and its ramifications. What is abundantly clear, however, is that consumers are still not sure whether they were affected and what information was stolen," said Langevin in a statement announcing the bill's reintroduction. "Equifax has done a terrible job communicating about the breach to date, and this legislation will ensure that any future such breach has a single standard and one federal regulator to help get actionable information to consumers quickly."

Reintroduction of the legislation comes in the wake of an announcement Sept. 8 by credit monitoring agency Equifax that a cyberattack in May exposed the sensitive financial and personal data of up to 143 million Americans, including nearly everyone currently in the U.S. workforce. The bill creates exemptions to the reporting provision for companies that can demonstrate such notification may impact national security, have undergone risk assessments showing no harm to sensitive data or are already enrolled in financial fraud protection programs.

In addition to Langevin, Reps. Ted Lieu (D-Calif.) and Carol Shea-Porter (D-N.H.) have signed on as cosponsors, according to Langevin's office.

Sen. Mark Warner (D-Va.) wrote to FTC's Acting Chairman Maureen Ohlhausen Sept. 13 questioning whether the commission could have done more through existing authorities under the Fair Credit Reporting Act to hold companies like Equifax accountable. Warner also asked if the FTC would support federal legislation mandating that companies notify customers in the event of a breach.

"Taken as a whole, and given past breaches by other major credit bureaus, these lapses may represent a systemic failure by firms currently incentivized to collect and store highly sensitive identification and financial data for Americans," Warner wrote.

In an email to FCW, attorney Chi Chi Wu of the National Consumer Law Center said that while she could not specifically comment on Langevin's bill, consumer groups have opposed federal bills in the past due to their preemption of state laws, some of which contain stricter oversights and stronger remedies for consumers.

For years, high-profile data breaches in the private sector have been met with calls for stricter oversight and a national standard for how companies disclose and respond to hacks that expose consumer data. The original version of the bill was released in 2015 but never made it out of committee in the House. That could in part be due to efforts on behalf of credit bureaus to stymie potential reforms.

About the Author

Derek B. Johnson is a senior staff writer at FCW, covering governmentwide IT policy, cybersecurity and a range of other federal technology issues.

Prior to joining FCW, Johnson was a freelance technology journalist. His work has appeared in The Washington Post, GoodCall News, Foreign Policy Journal, Washington Technology, Elevation DC, Connection Newspapers and The Maryland Gazette.

Johnson has a Bachelor's degree in journalism from Hofstra University and a Master's degree in public policy from George Mason University. He can be contacted at djohnson@fcw.com, or follow him on Twitter @derekdoestech.

Click here for previous articles by Johnson.


Featured

  • Contracting
    8 prototypes of the border walls as tweeted by CBP San Diego

    DHS contractors face protests – on the streets

    Tech companies are facing protests internally from workers and externally from activists about doing for government amid controversial policies like "zero tolerance" for illegal immigration.

  • Workforce
    By Mark Van Scyoc Royalty-free stock photo ID: 285175268

    At OPM, Weichert pushes direct hire, pay agent changes

    Margaret Weichert, now acting director of the Office of Personnel Management, is clearing agencies to make direct hires in IT, cyber and other tech fields and is changing pay for specialized occupations.

  • Cloud
    Shutterstock ID ID: 222190471 By wk1003mike

    IBM protests JEDI cloud deal

    As the deadline to submit bids on the Pentagon's $10 billion, 10-year warfighter cloud deal draws near, IBM announced a legal protest.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.