Free Enterprise - The FindLaw Small Business Law Blog

Executives Could Be Liable for Hiding Data Breaches

We might remember 2014 as the Year of the Data Breach. But 2017 saw what has the potential to be the most catastrophic hack in history. And 2018 might be the year when Congress cracks down on companies concealing data breaches.

Last week, three senators introduced new legislation that would require companies to report data breaches within 30 days, and even provide prison time for executives who knowingly conceal a data breach.

Data Breach Defense and Disclosure

The Data Security and Breach Notification Act comes on the heels of two major hacks that went unreported for months. Equifax waited 41 days to notify the public that names, social security numbers, birth dates, addresses, and even driver license numbers for more than 145 million people had been exposed. And Uber went as far as to pay hackers to delete stolen data in an effort to hide a 2016 data breach.

The Act would require any "entity that owns or possesses data containing personal information" to "establish and implement policies and procedures regarding information security practices for the treatment and protection of personal information." In the event of a data breach, the law would also require companies to notify each individual whose information has been "acquired or accessed from the covered entity as a result of the breach of security," as well as the Federal Trade Commission.

Corporate and Personal Civil and Criminal Penalties

The new proposal would be backed with some hefty civil fines and criminal penalties. Companies could be charged $11,000 per day they don't report an incident, with each person whose information was affected being an independent incident. So, for example, because Equifax was 11 days over the proposed 30-day deadline, that would be $121,000 per individual, and since there were 145 million people who weren't notified, that fine balloons to $17.5 trillion. (Though the bill may include caps on monetary penalties.)

In addition, any person who knows of the data breach (and the reporting requirements) who "willfully conceals the fact of the breach of security" can be fined and/or imprisoned for up to five years. We'll have to wait and see if the bill makes it through Congress before we can see if it has an effect on data breach reporting.

Related Resources: