Legislation Aims to Crack Down on Data Security Breaches
Legislation unveiled by Sen. Ron Wyden (D-Ore.) and coined the Consumer Data Protection Act is aimed at addressing the nationwide epidemic of data security breaches. The bill would impose $5-million fines and up to twenty years in prison for executives who knowingly mislead federal authorities. It also aims to strengthen the ability of the Federal Trade Commission (FTC) to crack down on violators and give consumers more power over how their information is handled.
“Big companies are vacuuming up people’s personal information, just scooping it up,” Wyden said. “Everything you read, everywhere you go, everything you buy is sucked up in a corporation’s database.” He added, “It’s long overdue that we made clear to these companies that consumers need to come first.”
According to the San Diego-based Privacy Rights Clearinghouse, more than 11 billion records have been compromised in 9,000 known data breaches since 2005. These have included the well-publicized breach of Equifax in which hackers gained access to the files of 148 million U.S. consumers and the 3 billion Yahoo users that had their privacy breached. However, under California law, a company can keep a breach secret if it “reasonably believes” nobody was affected, which means this number is probably even higher.
“The consumer has the right to some sunshine about how their information is used,” Wyden argued. “My bill creates radical transparency for consumers, gives them new tools to control their information and backs it up with tough rules with real teeth to punish companies that abuse Americans’ most private information.”
American businesses are pushing back, lobbying for a weak federal privacy statute that would preempt tougher state laws, such as the California Consumer Privacy Act, set to take effect in 2020. The California law allows state residents to find out what kinds of information a business has collected and allows consumers to request that a company delete personal information.
But state laws are no match for those being rolled out in Europe. The General Data Protection Regulation of 2018 requires that companies obtain consent from customers before sharing their personal information. It also gives consumers the right to know how their data is being used and to receive a free copy of data being used by a company. Consumers must be notified of a security breach within 72 hours, and any violation could result in a fine of up to 20 million euros ($23 million) or 4% of the company’s annual global revenue, whichever is greater.
Under Wyden’s Consumer Data Protection Act, any company with revenue of $1 billion per year or that stores data on more than 50 million consumers or consumer devices will have to submit an annual “data protection report” to the FTC listing privacy measures taken to secure consumer information. A fine of 4% of the annual revenue would be imposed on those who deliberately misleading the FTC.
“I think the ground is shifting fast,” said William McGeveran, a law professor at the University of Minnesota. “The new laws in Europe and California, changing politics around the power of Silicon Valley companies, and rising concern about privacy and security all contribute to that.”