Security news that informs and inspires

New Privacy Bill Would Hold Companies Liable for Data Misuse

By

A group of more than a dozen senators is pushing to pass what would be the first national data privacy law in the United States. A new bill, introduced Wednesday, would require companies to “reasonably secure individual identifying data from unauthorized access” and provide severe civil penalties for violations.

The Data Care Act would give the Federal Trade Commission the authority to enforce the new provisions, rather than establishing a separate data protection agency. The FTC has broad powers to establish and enforce rules through the Federal Trade Commission Act, but the commission has not had the kind of privacy enforcement authority that the new bill would give it. Right now, there is no federal privacy or data breach legislation, so companies must deal with each state’s regulatory requirements individually.

The proposed bill has a broad definition of “sensitive data” that must be protected, including Social Security numbers, driver’s license numbers, financial account numbers, usernames and passwords, military ID numbers, and even first and last names. The bill also requires that biometric identifiers such as fingerprints and iris scans be protected.

"The bill is definitely a step in the right direction. Senator Schatz is a thoughtful leader on privacy issues. We are disappointed that there are no Republican co-sponsors, but this bill is a good vehicle for privacy discussions on the Hill," said Christine Bannan, consumer protection counsel at the Electronic Privacy Information Center (EPIC).

The group of 15 sponsors of the Data Care Act includes Sen. Brian Schatz (D-Hawaii), Sen. Margaret Hassan (D-N.H.), and Sen. Cory Booker (D-N.J.). Schatz, the main sponsor of the bill, said the legislation is intended to reduce the complexity of the current regulatory landscape while providing more protection for consumers.

“People have a basic expectation that the personal information they provide to websites and apps is well-protected and won’t be used against them. Just as doctors and lawyers are expected to protect and responsibly use the personal data they hold, online companies should be required to do the same. Our bill will help make sure that when people give online companies their information, it won’t be exploited,” he said.

The Data Care Act also includes some unusual provisions that impose restrictions upon the ways in which companies can handle user data. The Duty of Loyalty section in the bill prevents service providers from using consumer data in any way that “will benefit the online service provider to the detriment of an end user; and will result in reasonably foreseeable and material physical or financial harm to an end user; or would be unexpected and highly offensive to a reasonable end user.”

"Our bill will help make sure that when people give online companies their information, it won’t be exploited."

The responsibilities of service providers also extend to any third parties with whom they share user data.

Interestingly, the Data Care Act does not include Sen. Ron Wyden (D-Ore.) as a sponsor. Wyden is one of the more vocal federal legislators on cybersecurity and privacy issues and in November he began circulating a discussion draft of a federal privacy bill that is quite similar to the Data Care Act. Wyden’s Consumer Data Protection Act also makes the FTC the enforcement agency for violations, and provides for penalties of up to four percent of a company’s annual revenue. The Data Care Act has a more complicated formula for calculating penalties, multiplying the larger of the number of days that a company was in violation of the act or the number of users who were affected by the breach by “an amount not to exceed the maximum penalty for which a person, partnership, or civil corporation may be liable” under the existing FTC Act.

Privacy and digital rights organizations have been calling for a federal privacy and data breach law for many years.

“We generally favor legislation requiring large companies to serve as fiduciaries for their consumers' data, and to satisfy duties of loyalty, confidentiality, and care for their users. We look forward to working with the Senator to improve his bill and to advance information fiduciary protections that will meet the needs of Internet users and adequately safeguard consumer data privacy as a part of comprehensive privacy legislation,” said India McKinney, a legislative analyst at the Electronic Frontier Foundation.