According to the New York Times, Sen. Richard Blumenthal of Connecticut proposed the Personal Data Protection and Breach Accountability Act of 2011 this week in order to hold businesses accountable for data breaches that put customers at personal or financial risk. This bill is directed at companies that have more than 10,000 users or customers and require the businesses to implement specific security measures as well as have a response team in place for any future intrusion. If the bill is passed into Federal law, the Justice Department will be able to levy fines of $5,000 per violation per day up to a stiff maximum of $20 million per infringement. In addition to the fines, the law could be utilized by users to sue any company that doesn’t take proper precautions.
Beyond the penalties directed at companies with poor security, the bill also increases the penalties faced if caught participating or profiting off phishing attacks. Under the new law, a convicted phisher would face a $1 million dollar fine as well as 5 years in Federal prison. This bill makes installing any piece of software that collects personal information without the user’s expressed permission a criminal act. In addition, the bill would make the practice of rerouting search results for financial gain a criminal act, often practiced by less than reputable Internet service providers. Anyone participating in these actions faces the same penalty as phishers.
Blumenthal was a particularly vocal critic of Sony during the data breach earlier this year, a breach that put data from over 77 million users in jeopardy. During the investigation into the breach, the senator continually went after Sony’s Jack Tretton to find out why it took Sony six days to inform users of the data breach. The network outage is rumored to have cost Sony over $170 million and the company is currently in a legal battle with an insurance company over the exorbitant costs of the hack.