A new bill could send company executives to jail if they fail to disclose a cybersecurity event to the public within a reasonable amount of time, or intentionally attempt to conceal it.
Continue Reading Below
Under the legislation, sponsored by three Democratic senators, companies would be required to report any cyberattack within 30 days. Deliberately hiding the event could result in a prison sentence of up to 5 years.
A similar bill was originally introduced by Sen. Bill Nelson (D-Fla.) in 2014.
The disclosure process has been under scrutiny this year after Equifax (NYSE:EFX) discovered a massive breach at the end of July that compromised the personally identifiable information of 145 million Americans, and waited until mid-September to notify customers. Last month, ride-sharing company Uber said the personal information of 57 million users was compromised in a 2016 breach.
During multiple cybersecurity hearings on Capitol Hill, lawmakers expressed concerns that company executives had little true incentive to work in the best interests of consumers following a cyberattack because they faced few repercussions. Chairman of the U.S. Securities and Exchange Commission Jay Clayton has also said that the disclosure process for companies could use some updates.
Nearly every state has laws governing disclosures, but experts have told lawmakers that having a uniform national standard could improve the process and increase transparency.