Personal Data Protection and Breach Accountability Act of 2014 would enact criminal penalties for "intentionally or willfully" concealing a security breach

Thanks in part to the recent security breaches at Target and Neiman Marcus, pressure for a federal response to data security has become increasingly popular. Numerous bills have been introduced in the House and the Senate that call for new legislative enactments to answer the data security problem.

A somewhat popular proposal for many of these bills is a new criminal statute for individuals who knowingly and willingly fail to report a known security breach. I recently introduced readers to Senator Patrick Leahy’s Personal Data Privacy and Security Act of 2014, and detailed some of the bill's criminal proposals, including numerous amendments to the Computer Fraud and Abuse Act. The bill also included a proposed criminal statute that would read,

Whoever, having knowledge of a security breach and of the fact that notice of such security breach is required under title II of the Personal Data Privacy and Security Act of 2014, intentionally and willfully conceals the fact of such security breach, shall, in the event that such security breach results in economic harm to any individual in the amount of $1,000 or more, be fined under this tile [sic] or imprisoned for not more than 5 years, or both. 

Last Tuesday, ahead of a Senate Judiciary Committee hearing addressing the Target and Neiman Marcus data breaches, Senator Richard Blumenthal and Senator Ed Markey introduced the Personal Data Protection and Breach Accountability Act of 2014. According to a recent press release, Senator Blumenthal stated that the bill “will give consumers much stronger, industry-wide protections against massive thefts of private financial information” and that “[s]tiffer enforcement with stringent penalties are vital to assure that retailers use state of the art safeguards.” Similar to Senator Leahy’s bill, the Personal Data Protection and Breach Accountability Act of 2014 would include a new criminal statute that would read, 

Whoever, having knowledge of a security breach and of the fact that notice of such security breach is required under title II of the Personal Data Protection and Breach Accountability Act of 2014, intentionally or willfully conceals the fact of such security breach and which breach, shall, in the event that such security breach results in economic harm or substantial emotional distress to 1 or more persons, shall be fined under this title or imprisoned not more than 5 years, or both.

A notable difference between these two proposals is the Personal Data Protection and Breach Accountability Act’s requirement that the breach “results in economic harm or substantial emotional distress to 1 or more persons.” In my eyes, this would encompass significantly more security breaches than in Senator Leahy's already broad proposal.

In a recent op-ed for the International Association of Privacy Professional’s online publication, Privacy Perspectives, I question whether criminal liability for failing to disclose a data security breach would be a prudent move, focusing specifically on Senator Leahy’s bill. My concerns would extend to this new proposal as well.

It will be interesting to see, with such an outcry for a federal response, what (if anything) will be adopted, and whether some variation of these "criminal concealment of a known security breach" proposals will be included.