House Dem revives data breach bill after Equifax hack

On Sept. 18, Rep. Jim Langevin (D-R.I.) reintroduced legislation to establish national standards for informing consumers when their data has been hacked or breached. The Personal Data Notification and Protection Act of 2017 would require companies that use, store or access sensitive or personally identifying information for more than 10,000 people per year to notify their customers within 30 days of discovering a breach. The legislation would also designate the Federal Trade Commission as the government's coordinating agency to ensure a company's customers are properly notified.

"There is much still to learn about the Equifax breach and its ramifications. What is abundantly clear, however, is that consumers are still not sure whether they were affected and what information was stolen," said Langevin in a statement announcing the bill's reintroduction. "Equifax has done a terrible job communicating about the breach to date, and this legislation will ensure that any future such breach has a single standard and one federal regulator to help get actionable information to consumers quickly."

Reintroduction of the legislation comes in the wake of an announcement Sept. 8 by credit monitoring agency Equifax that a cyberattack in May exposed the sensitive financial and personal data of up to 143 million Americans, including nearly everyone currently in the U.S. workforce. The bill creates exemptions to the reporting provision for companies that can demonstrate such notification may impact national security, have undergone risk assessments showing no harm to sensitive data or are already enrolled in financial fraud protection programs.

In addition to Langevin, Reps. Ted Lieu (D-Calif.) and Carol Shea-Porter (D-N.H.) have signed on as cosponsors, according to Langevin's office.

Sen. Mark Warner (D-Va.) wrote to FTC's Acting Chairman Maureen Ohlhausen Sept. 13 questioning whether the commission could have done more through existing authorities under the Fair Credit Reporting Act to hold companies like Equifax accountable. Warner also asked if the FTC would support federal legislation mandating that companies notify customers in the event of a breach.

"Taken as a whole, and given past breaches by other major credit bureaus, these lapses may represent a systemic failure by firms currently incentivized to collect and store highly sensitive identification and financial data for Americans," Warner wrote.

In an email to FCW, attorney Chi Chi Wu of the National Consumer Law Center said that while she could not specifically comment on Langevin's bill, consumer groups have opposed federal bills in the past due to their preemption of state laws, some of which contain stricter oversights and stronger remedies for consumers.

For years, high-profile data breaches in the private sector have been met with calls for stricter oversight and a national standard for how companies disclose and respond to hacks that expose consumer data. The original version of the bill was released in 2015 but never made it out of committee in the House. That could in part be due to efforts on behalf of credit bureaus to stymie potential reforms.