April 11, 2018

Rep. Correa Reiterates Need For Federal Data Breach Laws

Washington, DC—Following Equifax’s immense data breach in February of 2017, Congressman Lou Correa introduced H.R.3975—Cyber Breach Notification Act of 2017. The recent developments of the Cambridge Analytica exploitation of Facebook’s data in 2015 highlight the need for federal legislation mandating corporations promptly notify their users when their data is stolen or misused.

Rep. Correa said:

“Now more than ever, our data is at risk. Much of our world is digitally connected, and deeply personal data is collected everywhere. We need laws that reflect this risk. My legislation will ensure that if an individual’s data is stolen, they will be told promptly. When the next Equifax or Cambridge Analytica breach happens, our constituents must know.

“In 2002, I helped pass California’s data breach law. This law has been instrumental in informing and protecting Californians, and my bill brings those same principals to the federal government. It is imperative to all our security that every American knows if their data is stolen. We all deserve the opportunity to take action and protect ourselves. That starts with notification.”

Rep. Correa’s legislation establishes a federal law modeled after California’s data notification law and HIPAA’s data notification provisions, which are currently in place to notify individuals of data breaches in the medical field. In the event of a future data breach, this bill will:

  • Require businesses to notify the FBI, FTC, appropriate agencies, and attorneys general of data breaches.

  • Require businesses to notify individuals “in the most expedient time possible and without unreasonable delay” and in no case later than 30 days after the data breach is discovered.

  • Require businesses to send notifications by mail, email, post information about the data breach on the company’s website for a minimum of 30 days, and to set up a toll-free number.

  • Require notices to include a brief description of what happened, the types of sensitive personal information that was involved in the breach, and what the business is doing to investigate the breach to mitigate losses and to protect against any further breaches.

  • Allow the FBI to delay notification in increments of 30 days if they determine that notifying people would impede a criminal investigation or cause damage to national security.

  • Establish a federal standard for data breach notification laws, but would not preempt current state’s breach notification laws or preclude states from creating more robust laws.

  • Allow the FTC to take actions ranging from getting the organization to report the breach to imposing civil monetary penalties for failing to notify affected individuals in the event of a reportable breach.