Senators Introduce Data Breach Disclosure Legislation | Healthcare Informatics Magazine | Health IT | Information Technology Skip to content Skip to navigation

Senators Introduce Data Breach Disclosure Legislation

December 4, 2017
by Heather Landi
| Reprints

Three Democratic senators—Florida Senator Bill Nelson, Senator Richard Blumenthal of Connecticut and Wisconsin Senator Tammy Baldwin—introduced legislation which requires companies to promptly report data breaches and imposes new criminal penalties for executives who try to deliberately conceal data breaches.

The proposed bill, the Data Security and Breach Notification Act, was introduced in the wake of Uber’s recent disclosure of a major 2016 data breach. According to Uber, hackers accessed the personal information of 57 million riders and drivers last year, a breach that the company didn’t disclose publicly until two weeks ago. At the time of the breach, Uber paid hackers $100,000 to destroy the data and did not tell regulator or users that their information was stolen, according to media reports.

The legislation would, among other things, require companies to notify consumers of a data breach within 30 days; and make it a crime – punishable by up to five years in prison – for knowingly concealing a breach.  

“We need a strong federal law in place to hold companies truly accountable for failing to safeguard data or inform consumers when that information has been stolen by hackers,” Sen. Nelson said in a statement. “Congress can either take action now to pass this long overdue bill or continue to kowtow to special interests who stand in the way of this commonsense proposal.  When it comes to doing what’s best for consumers, the choice is clear.”

The bill would require covered entities that own or possess data in electronic form containing personal information must provide notification to users or consumers within 30 days of the discovery of a data breach unless a U.S. federal law enforcement or intelligence agency exempts the entity from informing the public.

The bill also proposed that a covered entity cannot will not be held to that 30 days notification window if the company or organization can show that it’s not feasible in order to accurately identify affected consumers or to prevent further breach or unauthorized disclosures or to reasonably restore the integrity of the data system.

In addition, the bill proposes to make the willful concealment of a breach a crime punishable by up to five years in prison.

The bill also directs the Federal Trade Commission (FTC) to develop strict security standards that businesses would be required to follow to better protect consumers' personal and financial data. It also provides incentives to businesses that adopt new technologies that make consumer data unusable or unreadable if stolen during a breach.

Get the latest information on Health IT and attend other valuable sessions at this two-day Summit providing healthcare leaders with educational content, insightful debate and dialogue on the future of healthcare and technology.

Learn More



Advocate Aurora Health, Foxconn Plan Employee Wellness, “Smart City,” and Precision Medicine Collaboration

Wisconsin-based Advocate Aurora Health is partnering with Foxconn Health Technology Business Group, a Taiwanese company, to develop new technology-driven healthcare services and tools.

Healthcare Data Breach Costs Remain Highest at $408 Per Record

The cost of a data breach for healthcare organizations continues to rise, from $380 per record last year to $408 per record this year, as the healthcare industry also continues to incur the highest cost for data breaches compared to any other industry, according to a new study from IBM Security and the Ponemon Institute.

Morris Leaves ONC to Lead VA Office of Electronic Health Record Modernization

Genevieve Morris, who has been detailed to the U.S. Department of Veterans Affairs (VA) from her position as the principal deputy national coordinator for the Department of Health and Human Services, will move over full time to lead the newly establishment VA Office of Electronic Health Record Modernization.

Cedars-Sinai Accelerator Program Presents Fourth Class of Startups

The Cedars-Sinai Accelerator, a program that helps entrepreneurs bring their innovative technology products to market, has brought in nine more health tech startups as part of its fourth class.

DirectTrust Adds Five Board Members

DirectTrust, a nonprofit organization that support health information exchange, announced the appointment of five new executives to its board of directors.

Analysis: Many States Continue to Have Restrictive Telemedicine Policies

State Medicaid programs are evolving to accelerate the adoption of telemedicine models, this evolution is occurring more quickly in some states than others, according to a recent analysis by Manatt Health.