New Data Protection Law Would Jail CEOs for Failing to Protect Data
A bill introduced last week, if passed, would impose stiff penalties on companies and CEOs who fail to secure users data.
A draft of legislation released last week would impose steep fines on companies and an even stiffer penalty – jail time - for senior executives who mishandle consumer data.
The bill, the Consumer Data Protection Act, was proposed by Sen. Ron Wyden (D-OR) on Thursday, would allow the Federal Trade Commission to form minimum privacy and cybersecurity standards, and issue fines, up to four percent of an organization's annual revenue following what it calls a first offense. It would also - and this is the boldest offense - impose 10-20 year criminal penalties for senior execs who fail to follow guidelines for data use.
The bill (.PDF) would also allow the FTC to:
- Create a national Do Not Track system that lets consumers stop third-party companies from tracking them on the web by sharing data, selling data, or targeting advertisements based on their personal information. It permits companies to charge consumers who want to use their products and services, but don’t want their information monetized.
- Give consumers a way to review what personal information a company has about them, learn with whom it has been shared or sold, and to challenge inaccuracies in it.
- Hire 175 more staff to police the largely unregulated market for private data.
- Require companies to assess the algorithms that process consumer data to examine their impact on accuracy, fairness, bias, discrimination, privacy, and security
Furthermore Wyden's bill would stipulate that if a business's revenue surpasses $1 billion per year or if the business stores data on more than 50 million consumers or consumer devices they’d have to submit an annual data protection report "describing in detail whether, during the reporting period, the covered entity complied with the regulations.”
Currently, when it comes to enforcing data protection, the FTC is somewhat limited. It can really only impose its authority when an organization violates Section 5(a) of the FTC Act and is found engaging in "unfair or deceptive acts or practices." Essentially a company would have to lie about how much it protects a user's data. There's also no initial fining authority under Section 5 of the Act; it's only after the second offense, traditionally after a business has entered into an agreement with the FTC that fines can be levied.
Wyden, perhaps Washington's staunchest privacy advocate, has hinted at the bill for months now.
The Senator told Recode's Kara Swisher over the summer that the crux of the prospective legislation would empower citizens to control their data.
"I think there’s gotta be real transparency, there’s gotta be consequences for misusing someone’s data. But this goes right to the heart of the real value of Section 230,” Wyden said, “… If you are misusing consumer data and harvesting people’s information wrongly, I want to come after you."
There have been a slew of data privacy bills introduced in the wake of last year's massive Equifax data breach. Wyden's certainly sounds radical and forward thinking but it's still too early to know if it will actually come to pass. More than likely the bill fight an uphill battle and mirror what’s expected to be a fervent back and forth between data holders - big tech companies - and advocates of another bill, the California Data Privacy Protection Act.
The Definitive Guide to DLP
- The seven trends that have made DLP hot again
- How to determine the right approach for your organization
- Making the business case to executives
The Definitive Guide to Data Classification
- Why Data Classification is Foundational
- How to Classify Your Data
- Selling Data Classification to the Business