skip to main content

S. 2179 (115th): Data Security and Breach Notification Act

Tens of millions of consumers have had their personal health care information, Social Security numbers, credit card numbers, and email addresses hacked — and that’s just this year alone.

The Data Security and Breach Notification Act would create the first-ever federal standard for punishing such breaches.

Context and what the bill does

The biggest data and consumer information hacks of all time include more than 50 million customers each on Uber, LinkedIn, Target, Home Depot, Yahoo, and eBay.

The Data Security and Breach Notification Act would:

  • Require companies to notify consumers that they have had a security breach within 30 days.
  • Institute a maximum five-year prison sentence for intentionally hiding such a breach.
  • Create financial incentives for companies or organizations that utilize technologies which make consumer information unreadable in the event of a breach.

The bill was introduced on November 30 by Sen. Bill Nelson (D-FL), labelled S. 2179 in the Senate.

What supporters say

Supporters argue the bill would add tough accountability measures in the wake of a dramatically escalating threat to consumer privacy.

“We need a strong federal law in place to hold companies truly accountable for failing to safeguard data or inform consumers when that information has been stolen by hackers,” Sen. Nelson said in a press release. “Congress can either take action now to pass this long overdue bill or continue to kowtow to special interests who stand in the way of this commonsense proposal.”

What opponents say

Opponents note that 48 states already have existing similar laws on a state level, all except Alabama and South Dakota. In the opponents’ view, this renders a federal equivalent less necessary or possibly even unnecessary.

47 state attorneys general of both parties wrote a letter to Congress expressing this sentiment in 2015.

“State attorneys general are on the front lines responding to data breaches. Our offices hear directly from affected consumers, and we regularly respond directly to their complaints and calls,” the letter read. “Preempting state law would make consumers less protected than they are right now. Our constituents are continually asking for greater protection. If states are limited by federal legislation, we will be unable to respond to their concerns.”

Odds of passage

The legislation has attracted two Senate cosponsors, both Democrats. It awaits a vote in the Senate Commerce, Science, and Transportation Committee, where Nelson is the top-ranking Democrat.

Nelson introduced similar legislation in 2015, where it attracted one cosponsor and never received a vote. However, just in the past two years, public anger about data breaches as increased significantly after breaches of tens of millions of Uber and Equifax accounts, including Social Security numbers and other private information.

Last updated Dec 22, 2017. View all GovTrack summaries.

The summary below was written by the Congressional Research Service, which is a nonpartisan division of the Library of Congress, and was published on Nov 30, 2017.

Data Security and Breach Notification Act

This bill requires the Federal Trade Commission to require certain entities that own or possess data containing personal information, or that contract with a third-party to maintain or process such information, to implement certain information-security policies and procedures for the treatment and protection of the information.

Such entities must provide specified notice following the discovery of a security breach of such information.