A new Consumer Data Protection Act was proposed on October 31 by Senator Ron Wyden from Oregon. The senator has long been an advocate of cybersecurity and privacy issues, and his new bill proposes strict penalties – including fines and prison time – for companies that violate consumer privacy, according to a press release.
The draft proposes amending the Federal Trade Commission Act to hold entities that use, store and share personal information more responsible for the data they collect and would apply to companies with more than $50 million in revenue and personal information on more than 1 million people. The act excludes data brokers or commercial entities that, “as a substantial part of their business, collects, assembles or maintains personal information concerning an individual who is not a customer or an employee of that entity in order to sell or trade the information or provide third-party access to the information.”
Presumably, small to medium-sized businesses (SMBs) would fall outside the scope of this legislation, and Colin Bastable, CEO of Lucy Security, said that would bode well for SMBs. “These are the businesses that struggle to afford advanced security technology. They lack the people and the skills to defend their customers’ confidential data from hackers. Therefore, in addition to legislation, we must encourage all organizations, employees and consumers to prepare for the inevitability of successful attacks – teach, train and test, continuously."
This newest proposed legislation adds to the growing collection of data privacy acts already pending on Capitol Hill, including another Consumer Data Protection Act (this one introduced in 2017 by Sen. Robert Menendez), the Data Breach Prevention and Compensation Act (DBPCA), CLOUD Act and the ENCRYPT Act.
“Recent events like the Equifax data breach, Cambridge Analytica, Facebook and more have fueled the fire and will enable these to gather substantial support on both sides of the aisle as cybersecurity and data privacy issues remain front and center to everyone’s constituent needs,” said Pravin Kothari, CEO of CipherCloud.
“The cognoscenti on Capitol Hill will tell you that these bills will likely be rolled up as one, most likely before they leave the Senate. Legislation is likely to be omnibus and then will replace the myriad of conflicting state efforts to provide similar legislation.”
Certainly data privacy has gained broad-level awareness, and Brian Vecci, technical evangelist at Varonis, said that even if Sen. Wyden's proposed privacy bill doesn’t become law right away, it’s clear that the tide is shifting in favor of privacy.
“Companies may really be forced to think of their data like their dollars and could face penalties if information is mishandled and exposed as part of a breach. Privacy is becoming top of mind for consumers and voters, and companies that have taken steps to meet the obligations of other privacy frameworks like the GDPR are clearly going to be ahead of everyone else.”