US Senator Proposes Data Protection Bill Imposing Criminal Fines and Penalties for Breaches

U.S. Sen. Ron Wyden, D-Oregon, has announced draft legislation for a data protection bill that would impose severe criminal penalties for violations including heavy fines for companies, and possible 10- to 20-year prison sentences for senior executives at the world’s largest data collectors.

U.S. Sen. Ron Wyden, D-Oregon, has announced draft legislation for a data protection bill that would impose steep criminal penalties for violations of the law, including heavy fines for companies and possible 10-to-20-year prison sentences for senior executives at the world’s largest data collectors.

Wyden announced Nov. 1 that he is seeking feedback on what he calls the Consumer Data Protection Act of 2018. If introduced and passed as it is currently written, the bill would allow the Federal Trade Commission to establish minimum privacy and cybersecurity standards and would allow for a national “do not track” system that would allow consumers to see which companies have their data. It also would allow for consumers to tell third-party companies to delete their information.

“My bill creates radical transparency for consumers, gives them new tools to control their information and backs it up with tough rules with real teeth to punish companies that abuse Americans’ most private information,” Wyden said in the news release announcing the draft legislation.

If it became law, the bill would affect companies with $1 billion per year in revenue or those that hold the personal information of 50 million people or more. If those companies were found to be in violation of the law, they would face fines of up to 4 percent of their annual revenues, and senior executives of those companies could face 10 to 20 years in prison.

Congress has not passed a federal law regulating data brokers since the FTC released a May 2014 report on the data broker industry.

“I think it’s interesting who would end up being targets [of an investigation],” Andrew Burt, chief privacy officer and legal engineer of Immuta, a data management company, said. “It’s almost marrying personal and corporate responsibility.”

While this bill would be a federal law, Burt said that this would not get rid of the patchwork of data regulation laws  that states already have in place. He said that, in the U.S., there has been a history of creating data laws for different sectors of industry.

“I think there is an appetite for a single standard,” Burt said. “What’s interesting to me is that this only applies to organizations that amass a huge amount of data, so it’s not going to be this single privacy standard that other people are discussing.”

Dimitri Sirota, the co-founder, and CEO of BigID, a software company which helps companies protect personal information, said that he does not think the U.S. will ever get away from the “patchwork” of regulations governing data. However, he said bills such as Wyden’s are important because companies tend to comply with regulations with the most serious ramifications.

“From a practical standpoint, I think companies always budget toward the regulation that’s going to get them in the most trouble,” Sirota said.

Sirota said that, despite a very divided legislature, a bill like this would be able to pass because protection of data and privacy online is a bipartisan issue.

“I would say that, in a split Congress, this is the type of thing they could get passed,” Sirota said. “I do think it has support from both sides of the aisle.”

Other observers, however, feel the proposal is unlikely to pass as drafted, given strong lobbying by data brokers and others against other efforts to regulate the industry.