Federal lawmakers are considering the Consumer Privacy Protection Act of 2017, a new bill that would regulate the storage online of certain types of personal consumer information.
Introduced by Sen. Patrick Leahy (D-Vt.) and cosponsored by Sens. Ed Markey (D-Mass.), Richard Blumenthal (D-Conn.), Ron Wyden (D-Ore.), Al Franken (D-Minn.), Kamala Harris (D-Calif.) and Tammy Baldwin (D-Wisc.), the proposal would require companies that collect and hold data on at least 10,000 U.S. individuals to meet certain baseline privacy and data security standards to safely keep information obtained from consumers.
More specifically, the legislation mandates that companies encrypt information (or use similar protective technologies), conduct vulnerability testing and employee training, conduct due diligence before allowing third parties to acquire data, and destroy sensitive information that is no longer needed.
The measure protects categories of data, including Social Security numbers; financial account information (including credit card numbers and bank accounts); online usernames and passwords, such as email names and passwords; unique biometric data (fingerprints and “faceprints,” for example); information about a person’s physical and mental health; geolocation data; and private digital photographs and videos.
Data breach notification requirements are also included in the bill. Consumers must be notified of a breach “as expediently as possible and without unreasonable delay,” not to exceed seven days following the discovery of a security breach. An exception covers delays authorized for law enforcement or national security purposes.
In addition, companies must provide five years of appropriate identity theft prevention and mitigation services to consumers whose sensitive personally identifiable information has been—or is reasonably believed to have been—accessed or acquired.
Enforcement would be provided by state attorneys general, who would have the power to enjoin a practice that allegedly violates the Act, and to enforce compliance or impose a civil penalty “in an amount not greater than the product of the number of violations … and $16,500.”
Data breach notification violations are subject to a different scheme under the statute. Determinations of a violation and the amount of the penalty will be made “by the court sitting as the finder of fact.” If the court also finds that the violation was willful or intentional, the Act provides discretion to impose an additional penalty as long as it doesn’t exceed $10 million.
No private right of action was created by the bill, which would preempt state data security and breach notification laws weaker than those found in the bill.
To read the Consumer Privacy Protection Act of 2017, click here.
Why it matters: Spurred in part by the rash of massive data breaches in recent months (including Equifax’s disclosure that hackers obtained information on more than 140 million consumers in the United States), the proposed legislation already has the support of consumer groups such as Public Knowledge, the Consumer Federation of America, and the Center for Democracy and Technology. Given the current political impasse, passage of the bill appears to be an uphill battle.