Execs Could Face Jail Time For Privacy Violations | Threatpost

A new data privacy bill threatens large tech firms, like Facebook, with tough penalties – including monetary fines and up to 20 years of jail time for executives – if they violate user privacy policies.

The “Mind Your Own Business Act,” proposed by Sen. Ron Wyden (D-Ore.) on Thursday, gives the Federal Trade Commission (FTC) the ability to establish privacy and security standards for tech platforms.

If companies violate these standards, they could face fines of up to 4 percent of a company’s global turnover – the same provision used by the already-enacted General Data Protection Regulation (GDPR) laws in the EU. In addition, senior executives who “knowingly lie to the FTC” could face up to 10- to 20-year criminal penalties under the act.

“Mark Zuckerberg won’t take Americans’ privacy seriously unless he feels personal consequences,” said Wyden, in a press statement. “A slap on the wrist from the FTC won’t do the job, so under my bill he’d face jail time for lying to the government.”

Under the new bill, the FTC would also create a national “Do Not Track” system that bars companies from tracking consumers on the web, selling or sharing their data, or targeting advertisements based on their personal information.

“Companies that wish to condition products and services on the sale or sharing of consumer data must offer another, similar privacy-friendly version of their product, for which they can charge a reasonable fee,” according to Wyden’s release. “This fee will be waived for low-income consumers who are eligible for the Federal Communication Commission’s Lifeline program.”

Under the act, the FTC would also be able to hire 175 staff members to police tech companies’ data collection policies.  In addition, the bill would give consumers a way to review the personal information a company has about them, including how it’s being shared or sold.

An increased focus on data privacy is a very good step forward, Robert Cruz, senior director of information governance at data archiving solutions company Smarsh, told Threatpost.

“It will cause individuals and businesses to use data privacy as a differentiator, and place a more explicit value on transparency,” he told Threatpost via email. “Ultimately, some companies have invested to implement controls and consider data privacy ‘by design and default’ – and there are those that will look at it as simply another business tax. This gives very useful information to individuals who are deciding who they want to do business with.”

The biggest challenge the bill will face is from organizations who are making millions of dollars collecting, using, and selling personal data in a non-transparent manner, said Lecio de Paula Jr., data privacy director at KnowBe4, in an email.

“Somebody has to be accountable for violating the privacy law. Many organizations are simply just ‘OK’ with receiving a fine and a slap on the wrist — which we have seen with the past few FTC fines of the large tech players,” said de Paula.

Previous FTC investigations into data collection debacles have resulted in penalties – but not jail time. The investigation into Facebook on the heels of the Cambridge Analytica faux pas, for instance, resulted in a $5 billion fine. Interestingly, that Facebook fine – the largest ever imposed by the FTC – is actually more than double the 4 percent maximum percentage of a company’s global turnover that can be imposed as a penalty under the EU’s GDPR.

Other top FTC data privacy penalties have included a $700 million penalty for Equifax after its 2017 data breach, and a $170 million fine for YouTube for violating the Children’s Online Privacy Protection Act.

Experts like de Paula hope that the bill’s efforts around providing the FTC with more resources – such as more staff members to police data collection – will help prevent data issues from happening in the first place.

“If the FTC is able to obtain more authority and resources to start cracking down on organizations that are violating basic privacy and security principles, we will start to see a new standard set for businesses, which would allow them to begin taking a privacy-first approach to tackling new challenges and creating new products,” said de Paula.

What are the top cybersecurity issues associated with privileged account access and credential governance? Experts from Thycotic on Oct. 23 will discuss during our upcoming free Threatpost webinar, “Hackers and Security Pros: Where They Agree & Disagree When It Comes to Your Privileged Access Security.” Click here to register.