Senators Introduce Data Breach Disclosure Legislation | Healthcare Informatics Magazine | Health IT | Information Technology Skip to content Skip to navigation

Senators Introduce Data Breach Disclosure Legislation

December 4, 2017
by Heather Landi
| Reprints

Three Democratic senators—Florida Senator Bill Nelson, Senator Richard Blumenthal of Connecticut and Wisconsin Senator Tammy Baldwin—introduced legislation which requires companies to promptly report data breaches and imposes new criminal penalties for executives who try to deliberately conceal data breaches.

The proposed bill, the Data Security and Breach Notification Act, was introduced in the wake of Uber’s recent disclosure of a major 2016 data breach. According to Uber, hackers accessed the personal information of 57 million riders and drivers last year, a breach that the company didn’t disclose publicly until two weeks ago. At the time of the breach, Uber paid hackers $100,000 to destroy the data and did not tell regulator or users that their information was stolen, according to media reports.

The legislation would, among other things, require companies to notify consumers of a data breach within 30 days; and make it a crime – punishable by up to five years in prison – for knowingly concealing a breach.  

“We need a strong federal law in place to hold companies truly accountable for failing to safeguard data or inform consumers when that information has been stolen by hackers,” Sen. Nelson said in a statement. “Congress can either take action now to pass this long overdue bill or continue to kowtow to special interests who stand in the way of this commonsense proposal.  When it comes to doing what’s best for consumers, the choice is clear.”

The bill would require covered entities that own or possess data in electronic form containing personal information must provide notification to users or consumers within 30 days of the discovery of a data breach unless a U.S. federal law enforcement or intelligence agency exempts the entity from informing the public.

The bill also proposed that a covered entity cannot will not be held to that 30 days notification window if the company or organization can show that it’s not feasible in order to accurately identify affected consumers or to prevent further breach or unauthorized disclosures or to reasonably restore the integrity of the data system.

In addition, the bill proposes to make the willful concealment of a breach a crime punishable by up to five years in prison.

The bill also directs the Federal Trade Commission (FTC) to develop strict security standards that businesses would be required to follow to better protect consumers' personal and financial data. It also provides incentives to businesses that adopt new technologies that make consumer data unusable or unreadable if stolen during a breach.

Get the latest information on Health IT and attend other valuable sessions at this two-day Summit providing healthcare leaders with educational content, insightful debate and dialogue on the future of healthcare and technology.

Learn More



Study will Leverage Connecticut HIE to Help Prevent Suicides

A new study will aim to leverage CTHealthLink, a physician-led health information exchange (HIE) in Connecticut, to help identify the factors leading to suicide and to ultimately help prevent those deaths.

Duke Health First to Achieve HIMSS Stage 7 Rating in Analytics

North Carolina-based Duke Health has become the first U.S. healthcare institution to be awarded the highest honor for analytic capabilities by HIMSS Analytics.

NIH Releases First Dataset from Adolescent Brain Development Study

The National Institutes of Health (NIH) announced the release of the first dataset from the Adolescent Brain Cognitive Development (ABCD) study, which will enable scientists to conduct research on the many factors that influence brain, cognitive, social, and emotional development.

Boston Children's Accelerates Data-Driven Approach to Clinical Research

In an effort to bring a more data-driven approach to clinical research, Boston Children’s Hospital has joined the TriNetX global health research network.

Paper Records, Films Most Common Type of Healthcare Data Breach, Study Finds

Despite the high level of hospital adoption of electronic health records and federal incentives to do so, paper and films were the most frequent location of breached data in hospitals, according to a recent study.

AHA Appoints Senior Advisor for Cybersecurity and Risk

The American Hospital Association (AHA) has announced that John Riggi has joined the association as senior advisor for cybersecurity and risk.