The Most Comprehensive Data Protection Solution

Discover, classify, and protect your data from all threats with the only Gartner Magic Quadrant DLP and Forrester Wave EDR Leader.

First and Only Solution to Converge:

  • Data Loss Prevention
  • Endpoint Detection and Response
  • User and Entity Behavior Analytics
DATAINSIDER

Digital Guardian's Blog

Latest Data Privacy Act Aims to Protect Individual's Data Online

by Chris Brook on Wednesday December 26, 2018

Contact Us
Free Demo
Chat

Senate Democrats have introduced an act that would require companies to protect consumer data, inform users of breaches, and be held to duties of care, loyalty, and confidentiality.

Legislators have introduced yet another new bill designed to protect the personal data of individuals online.

The Data Care Act, unveiled two weeks ago by Senator Brian Schatz (D-Hawaii) would require websites, apps, and other data merchants to ensure that steps are taken to safeguard - and prevent the misuse of - personal data.

Some of the bill’s goals are to make sure individuals are "promptly" informed when their data has been breached, that companies don't identify data in a way that would hurt users, and to award more power to the Federal Trade Commission when it comes to enforcing the protections.

Schatz, who sits on the Senate’s Communications, Technology, Innovation, and the Internet Subcommittee, co-sponsored the act alongside 14 other senators, including Maggie Hassan (D-NH), Amy Klobuchar (D-Minn.), Cory Booker (D-NJ), and Ed Markey (D-Mass.).

Specifically the act (.PDF) would establish five duties of providers:

  • Duty of Care – Must reasonably secure individual identifying data and promptly inform users of data breaches that involve sensitive information;
  • Duty of Loyalty – May not use individual identifying data in ways that harm users;
  • Duty of Confidentiality – Must ensure that the duties of care and loyalty extend to third parties when disclosing, selling, or sharing individual identifying data;
  • Federal and State Enforcement – A violation of the duties will be treated as a violation of an FTC rule with fine authority. States may also bring civil enforcement actions, but the FTC can intervene.
  • Rulemaking Authority – FTC is granted rulemaking authority to implement the Act.

The bill isn't without its vagueness. The "duty of confidentiality" section imposes "duties of care, loyalty, and confidentiality" but doesn't really get into the specifics of what that would entail. The "duty of loyalty" section says providers can't use individual identifying data that will benefit the provider but will come at the detriment of the end user, be "unexpected and highly offensive" to the end user, or cause the end user "reasonably foreseeable and material physical or financial harm." The bill doesn’t define detriment, what unexpected or highly offensive is, or how foreseeable and material physical or financial harm should be interpreted.

The bill is the latest that would give power to the Federal Trade Commission when it comes to imposing rules over data collection and issuing fines to offenders. A similar bill, the Consumer Data Protection Act, proposed last month by privacy maven Ron Wyden (D-Ore.) would allow the FTC to hire additional staff, create a national Do Not Track system, and give consumers a way to review what kind of personal information a company may have about them - and contest it

Wyden's Consumer Data Protection Act would also allow the FTC to fine an organization up to four percent of its annual revenue upon a first offense and impose 10-20 year criminal penalties for execs that fail to follow guidelines around data use.

It's unclear whether Schatz's or Wyden's bill will ever pass but it’s almost certain we’ll continue to see more of these bills, at least until Washington and the big data holders, tech companies like Google, Twitter, and Apple, can come to terms on some sort of universal, federal data privacy legislation.

Tags: Government, Data Privacy

Recommended Resources


  • Why Data Classification is Foundational
  • How to Classify Your Data
  • Selling Data Classification to the Business
  • How to simplify the classification process
  • Why classification is important to your firm's security
  • How automation can expedite data classification

Chris Brook

Chris Brook is the editor of Data Insider. He is a technology journalist with a decade of experience writing about information security, hackers, and privacy. Chris has attended many infosec conferences and has interviewed hackers and security researchers. Prior to joining Digital Guardian he helped launch Threatpost, an independent news site which is a leading source of information about IT and business security for hundreds of thousands of professionals worldwide.