Rep. Jim Langevin, D-R.I., reintroduced legislation this week that would require companies that experience a breach to notify affected individuals within 30 days of the breach’s discovery and that they coordinate with the Federal Trade Commission to do so.
“This bill will replace the patchwork of 48 state breach notification laws with a single nationwide standard that would clarify and strengthen companies’ obligations to report intrusions that compromise consumers’ personal information,” Langevin said. “Americans put a lot of trust in companies by giving them personal and private information, and they should have confidence that their data is secure. While I do not believe that breach notification is the only legislative response required following Equifax, it is an important first step in building accountability and protecting consumers.”
The Personal Data Notification and Protection Act was first introduced in March 2015, but was reintroduced in this congressional session not long after Equifax announced a data breach of consumer data nearly a month and a half after they had detected it.
“There is much still to learn about the Equifax breach and its ramifications,” said Langevin. “What is abundantly clear, however, is that consumers are still not sure whether they were affected and what information was stolen. Equifax has done a terrible job communicating about the breach to date, and this legislation will ensure that any future such breach has a single standard and one Federal regulator to help get actionable information to consumers quickly. Congressional inaction on this topic is stymieing breach recovery, and we must act now to ensure Americans are fully informed following a cybersecurity incident.”
Members of both the House and Senate have called for congressional hearings to investigate the Equifax hack, and a lawsuit has been filed against the company for failing to adequately protect consumer financial data. A recent Comodo Threat Intelligence Labs investigation also found that Equifax executives’ passwords were available for sale on the Dark Web.