U.S. Senator Ron Wyden (D-OR) touched a leadership nerve last year when he proposed jail time for executives who fail to take cybersecurity and privacy seriously—from CEOs and CIOs to Chief Information Security Officers and Chief Privacy Officers.
Comprehensive national data privacy & cybersecurity bill
After months of comments on that bill, he's now proposed the most comprehensive protections for Americans' private data ever introduced.
Wyden proudly announced that it goes further than Europe's General Data Protection Regulation (GDPR).
And yes, locking up senior business, security, and privacy executives is part of it. So are GDPR level fines, up to 4% of company revenue.
It's called the Mind Your Own Business Act. But it could just as easily be called the "We're Incredibly Mad at Zuckerberg Act," and Wyden called him out today:
"Mark Zuckerberg won't take Americans' privacy seriously unless he feels personal consequences. A slap on the wrist from the FTC won't do the job, so under my bill he'd face jail time for lying to the government," Wyden said.
"I spent the past year listening to experts and strengthening the protections in my bill. It is based on three basic ideas: Consumers must be able to control their own private information, companies must provide vastly more transparency about how they use and share our data, and corporate executives need to be held personally responsible when they lie about protecting our personal information."
In other words, prison time for executives, and steep fines that would actually make corporations feel an earnings impact.
How much jail time for cybersecurity and privacy executives?
How much jail time are we talking about for senior executives like CEOs and CPOs, and potentially those in cybersecurity? The legislation calls for jail terms of up to 10 years in some cases, and up to 20 years in others.
This leads to a question: what exactly are you being punished for here? What could you do to earn time in the slammer?
Here's one example: Your organization is failing at privacy or cybersecurity and gets caught lying about it to the Federal Trade Commission (FTC).
This small passage of the Mind Your Own Business Act speaks to what will be required:
"Each annual report filed by a company with the Federal Trade Commission pursuant to section 5(a) 3 of the Mind Your Own Business Act of 2019 shall be accompanied by a written statement by the chief executive officer and chief privacy officer (or equivalent thereof) of the company."
This statement, as the legislation calls it, will certify that your organization complies with new federal privacy and cybersecurity standards which are to be developed.
So let's take a wider view of what Senator Wyden's new bill would require corporate America to do and what the U.S. government's role will be if the legislation becomes law.
6 privacy and security law changes being proposed
Right now, Wyden says, the FTC really has no teeth when it comes to holding corporations accountable to privacy and security standards.
Changing that is a big focus, as you will see. Here are six things the bill would implement:
(1) Establish minimum privacy and cybersecurity standards. [Note: this is what your company would certify it is meeting.]
(2) Issue steep fines (up to 4% of annual revenue) on the first offense for companies, and 10-20 year criminal penalties for senior executives who knowingly lie to the FTC.
(3) Create a national Do Not Track system that lets consumers stop companies from tracking them on the web, selling or sharing their data, or targeting advertisements based on their personal information. Companies that wish to condition products and services on the sale or sharing of consumer data must offer another, similar privacy-friendly version of their product, for which they can charge a reasonable fee.
This fee will be waived for low-income consumers who are eligible for the FCC's Lifeline program.
(4) Give consumers a way to review the personal information a company has about them, to learn with whom it has been shared or sold, and to challenge inaccuracies in it.
(5) Hire 175 more [federal government] staff to police the largely unregulated market for private data.
(6) Require companies to assess the algorithms that process consumer data to examine their impact on accuracy, fairness, bias, discrimination, privacy, and security.
Does a national cybersecurity and privacy law make sense?
Remember the Magic 8 ball you had as a kid? Predicting what types of legislation can make it through Congress is like shaking one of those and looking into the 8 ball's window for the answer. However, in this case, we'd argue that "Signs Point to Yes."
Yes, as in some sort of national cybersecurity and privacy law.
In general, many in security and privacy like the idea of a national U.S. standard.
At our SecureWorld conferences, we hear from leaders in privacy and security who tell us it's a struggle to comply with a barrage of new privacy and security regulations coming from states each year.
Cyber attorney Shawn Tuma, who is featured in our recent cybersecurity podcast episode, puts it like this:
"These things are getting thrown out there so quickly, they're not getting the attention they need or getting properly vetted. We need a uniform, national law."
Robert Cruz is Senior Director of Information Governance at Smarsh, a cloud-based information archiving solution. He says a national privacy law could lead to positive changes and intentional decisions around data where decisions are currently needed.
"Regulated corporations have a head start in meeting these requirements, in that they are already accustomed to actively managing the retention of data, and thus will start with a better understanding of where personal data lives in their organizations and have had the opportunity to implement governance policies to ensure that sensitive data can be brought under control.
For them, the biggest change will likely be to create additional pressure to finally delete data that is redundant or outdated and that has outlived its business purpose. That has been a challenge for almost all organizations.
For non-regulated firms that have not been focused on proactive information governance controls, a larger amount of work lies ahead."
So while there seems to be an appetite for some sort of national law in this space, we haven't come across anyone in favor of U.S. executive jail time or GDPR-sized fines. Those types of fines sent a chill down the spine of leaders we talked to as everyone was preparing for Europe's GDPR in the first place.
But here is a key question: is a one-size-fits-all regulation the right approach for privacy and security? Senator Ron Wyden thinks it is, and he is a force to be reckoned with on these issues.
Gizmodo describes his tenacity:
"A constant privacy hawk, Wyden is one of the few Washington lawmakers willing to go the distance, to put something into law that would instantly and dramatically change the way major companies handle our private data."
Gizmodo's headline, by the way, calls the Mind Your Own Business Act "The Only Privacy Bill Worth a Damn."
Interesting. And debatable.
If you've got the time, download and read the Mind Your Own Business Act for yourself.
And let us know what you think. Will Wyden's idea of locking up executives and making companies pay massive fines protect our privacy and increase security?