Langevin Reintroduces the Personal Data Notification and Protection Act

WASHINGTON, D.C. — Following the Equifax data breach, Congressman Jim Langevin (D-RI), co-founder and co-chair of the Congressional Cybersecurity Caucus, reintroduced the Personal Data Notification and Protection Act, which provides for a single national breach notification standard.

“There is much still to learn about the Equifax breach and its ramifications,” said Langevin. “What is abundantly clear, however, is that consumers are still not sure whether they were affected and what information was stolen. Equifax has done a terrible job communicating about the breach to date, and this legislation will ensure that any future such breach has a single standard and one federal regulator to help get actionable information to consumers quickly. Congressional inaction on this topic is stymieing breach recovery, and we must act now to ensure Americans are fully informed following a cybersecurity incident.”

The bill requires that companies notify affected individuals within 30 days of the discovery of a breach of sensitive personal information and requires the Federal Trade Commission to help coordinate breach notification. Notification of the type of information stolen would need to be provided by mail, telephone or, in certain cases, email.
“This bill will replace the patchwork of 48 state breach notification laws with a single nationwide standard that would clarify and strengthen companies’ obligations to report intrusions that compromise consumers’ personal information,” Langevin continued. “Americans put a lot of trust in companies by giving them personal and private information, and they should have confidence that their data is secure. While I do not believe that breach notification is the only legislative response required following Equifax, it is an important first step in building accountability and protecting consumers.”