Column: This bill includes prison for CEOs who fail to take consumer privacy seriously
It’s gotten to the point that there are so many data breaches, people can find it hard to work up a sense of outrage over their privacy being violated again and again and again.
The business world is counting on such breach fatigue to keep meaningful privacy safeguards at bay.
Consumers shouldn’t hand them such a huge victory.
Which is why we should all get behind legislation unveiled by Sen. Ron Wyden (D-Ore.) called the Consumer Data Protection Act. It’s a sweeping bill aimed at addressing the nationwide epidemic of data security lapses. And it has teeth.
Not least among its provisions, the bill would impose $5-million fines and up to 20 years in prison for executives who knowingly mislead federal authorities about their security efforts.
It also would strengthen the Federal Trade Commission’s ability to crack down on privacy violations and give consumers more power to control how their personal information is used.
“Big companies are vacuuming up people’s personal information, just scooping it up,” Wyden told me. “Everything you read, everywhere you go, everything you buy is sucked up in a corporation’s database.
“It’s long overdue that we made clear to these companies that consumers need to come first,” he said.
Case in point: Facebook. The social media giant reportedly went to elaborate lengths both to minimize recent security lapses and to undermine the credibility of critics. It’s now under fire for putting its own interests way ahead of all other considerations.
According to the Privacy Rights Clearinghouse, a San Diego advocacy group, more than 11 billion records have been compromised in nearly 9,000 known data breaches since 2005.
Some get attention, such as hackers breaking into credit agency Equifax and gaining access to the files of about 148 million U.S. consumers. Or 3 billion Yahoo users having their privacy endangered in what was likely the biggest hack of all time.
But most data breaches fly below the radar, either because they’re too small to merit media attention or they never get reported. Under California law, a company can keep a breach to itself if it “reasonably believes” nobody got harmed.
“The consumer has the right to some sunshine about how their information is used,” Wyden declared.
“My bill creates radical transparency for consumers, gives them new tools to control their information and backs it up with tough rules with real teeth to punish companies that abuse Americans’ most private information.”
To which I say: It’s about time.
American businesses, led by banks and other financial firms, have lobbied aggressively to keep the government from prying into their data security measures — and to minimize their accountability when (not if) a breach occurs.
They’re already pushing for a weak federal privacy statute that would preempt tougher state laws, such as the California Consumer Privacy Act, which is set to take effect at the beginning of 2020.
The California law allows state residents to find out what kinds of information a business has collected. It also permits consumers to request that a company delete any personal information it holds, to opt out of the sale of such info and to sue if reasonable security practices aren’t maintained to prevent data breaches.
The Europeans have gone even further. The General Data Protection Regulation, which took effect in May, is bristling with provisions aimed at leveling the privacy playing field. It requires that companies obtain consent from customers before using or sharing their personal information.
It also gives consumers the right to know how their personal data is being used and to receive a free copy of any such information held by a business. People must be notified of a security breach within 72 hours.
And get this: Any violation of the European law can result in a fine of up to 20 million euros ($23 million) or 4% of the company’s annual global revenue, whichever is greater.
Last year, Equifax had revenue of $3.4 billion. Four percent of that is $136 million.
Under Wyden’s bill, any company with revenue topping $1 billion a year, or that stores data on more than 50 million consumers or consumer devices, would have to submit an annual “data protection report” to the FTC detailing all activities related to keeping people’s info under wraps.
A 4%-of-revenue penalty would be imposed on companies found to have deliberately misled the FTC in the report. Scofflaw executives would be slapped with separate $5-million fines.
And if an exec enjoys a particularly fat compensation package, the bill says the $5-million fine would be replaced with 25% of “the largest amount of annual compensation the person received during the previous three-year period.”
Comcast Chief Executive Brian Roberts, for instance, had total compensation of $32.5 million last year. If Wyden’s bill were law, he better pray he never runs afoul of the FTC’s privacy watchdogs, not unless he considers a more than $8-million fine just another cost of doing business.
I spoke with a number of privacy experts about the legislation. They all agreed the time is ripe for stronger measures to protect consumers.
“I think the ground is shifting fast,” said William McGeveran, a law professor at the University of Minnesota. “The new laws in Europe and California, changing politics around the power of Silicon Valley companies, and rising concern about privacy and security all contribute to that.”
He said that “passing any legislation in this dysfunctional Congress has become very difficult, but I think there is more interest in comprehensive privacy laws now than at any time since the 1970s.”
Most other experts, though, said any bill featuring millions of dollars in executive fines and the threat of orange jumpsuits for CEOs stands little chance of becoming law.
“The Wyden bill looks like an opening bid,” said Peter Swire, a professor of law and ethics at Georgia Tech. “It sets forth what Wyden believes strong protections would look like. I don’t think he expects penalties this strict to be adopted.”
I asked Anita L. Allen, a law professor at the University of Pennsylvania, how aggressively businesses would fight any such law. She had a one-word answer: “Very.”
Realpolitik notwithstanding, Wyden is correct to push the U.S. toward greater consumer privacy protections. And anyone with personal data on the line, which is everyone, should get behind his Consumer Data Protection Act.
Wyden said the bill is now circulating among interested parties. He plans to officially introduce it in Congress early next year.
He encouraged all people to contact their congressional representatives and voice support for the legislation.
You also can share your thoughts by emailing Wyden at PrivacyBillComments@wyden.senate.gov