A U.S. senator wants to make corporate executives held responsible for data breaches that result in the theft or compromise of consumer personally identifiable information (PII). It seems that Oregon Sen. Ron Wyden, like millions of Americans, had become frustrated that no one was being held accountable for large data breaches—but, unlike most Americans, he had the power to do something. So he introduced the Consumer Data Protection Act (CDPA).
“Individual Americans know far too little about how their data is collected, how it’s used and how it’s shared,” Wyden said in an official statement. “My bill creates radical transparency for consumers, gives them new tools to control their information and backs it up with tough rules with real teeth to punish companies that abuse Americans’ most private information.”
If passed, the CDPA would be run through the Federal Trade Commission (FTC), which then would be able set and enforce a minimal privacy and security standard, create a Do Not Track database to allow consumers to opt out of third-party web sharing, and require companies to give consumers information on how their personal data is stored and used, among other actions.
Jail for CEOs?
The part of the bill that is gathering headlines is the penalties. Like GDPR, companies violating CDPA would have to pay very steep fines if they don’t meet the standards. But Wyden’s bill goes a step further. As ZDNet explained it, executives at these companies will also have to submit privacy reports. “Senior executives at these large companies, such as Chief Executive Officers, Chief Privacy Officers, or Chief Information Security Officers would personally vouch for these reports,” the article stated. “The reports would have to detail if and how the company complied with the CDPA’s new privacy rules. If execs lie or fail to disclose privacy breaches in these reports, they could face up to 20 years in prison.”
So under this new law, being the victim of a data breach conceivably could be considered a crime. The C-suite has traditionally been the wall preventing better security practices being put into place. Will the threat of jail time change that attitude?
Not Everyone Will Be Affected
CDPA will only affect the largest enterprises—those with $50 million minimum in annual revenue and with more than 1 million consumers in their system.
“Seventy percent of the U.S. economy is made up of SMB enterprises, so they would presumably fall outside the scope of this proposed legislation: these are the businesses that struggle to afford advanced security technology,” Colin Bastable, CEO of Lucy Security, said in an email comment. “Therefore, in addition to legislation, we must encourage all organizations, employees and consumers to prepare for the inevitability of successful attacks – teach, train and test, continuously.”
It’s Not the Only Bill Introduced This Year
Sens. Elizabeth Warren of Massachusetts and Mark Warner of Virginia introduced the Data Breach Prevention and Compensation Act (DBPCA) in January. Again, giving jurisdiction to the FTC, this bill focuses on data security measures of the credit agencies. Consumers would be compensated if their information was compromised, and the agencies would face penalties.
It appears the Equifax breach is the impetus for both of these bill proposals. The breach brought about a rare moment of bipartisanship on Capitol Hill—both sides were outraged by the breach and its aftermath.
Now the question is whether either one of these pieces of legislation will get pushed through to become law. Pravin Kothari, CEO of CipherCloud, said in an email comment that we should expect the bills to merge, adding, “Legislation is likely to be omnibus and then will replace the myriad of conflicting state efforts to provide similar legislation.”
The momentum for privacy laws is certainly building. Wyden’s bill comes after Tim Cook from Apple pushed the need for privacy laws, and others in the tech space said the same in from of a Senate committee. More states are taking on their own initiatives. That’s the good news. The bad news is that Congress overall has dragged its collective feet over passing any type of privacy or security legislation. If past experience is any indication, I expect there to be a great deal of lobbying from the private industry sector to water down these bills, especially the severe punishments. I’m not the only one who feels that way.
“We must hope that our politicians don’t make their usual mess of things by loading the legislation with special-interest privileges, pork and point-scoring,” said Bastable. The need for this type of legislation has never been higher.