On Thursday, Senator Ron Wyden (D-Ore.), a prominent privacy hawk, unveiled a draft bill that seeks to slap harsher penalties on companies—and chief executive officers—who run afoul of new rules that expand government oversight of the tech industry. The Consumer Data Privacy Act, as the bill is tentatively named, takes its cue from Europe’s General Data Privacy Regulation, or GDPR, which can fine companies up to 4% of their global, annual revenues for infractions. But Wyden’s bill goes even further; in addition to that penalty, the proposed law would jail chief execs up to 20 years with individual fines reaching as high as $5 million for CEOs who knowingly mislead regulators.
If GDPR has teeth, Wyden’s proposal has fangs—set on the jugulars of corporate heads. The proposed law would require big firms—ones with revenues exceeding $1 billion or ones that store data on more than 50 million consumers or their devices—to submit “annual data protection reports” to the government that lay out their data-securing practices. It would force companies to comply with “do not track” policies while offering alternative payment options to consumers, such as subscription fees instead of ad-supported “free” models. And it would boost the power of the Federal Trade Commission, adding a tech-focused division with a broader mandate alongside an arsenal of stronger enforcement actions.
Lindsey Barrett, an attorney and teaching fellow at Georgetown Law’s Communications & Technology Clinic within the school’s Institute for Public Representation, commented on Twitter that the proposed legislation “injects sorely needed accountability into our equif*cked information ecosystem.” Wyden’s own statement was a little more sanitized: “It’s time for some sunshine on this shadowy network of information sharing,” he said.
But the proposed reform isn’t all sunshine and rainbows. Jake Williams, an alumnus of the National Security Agency who has since cofounded Rendition InfoSec, a cybersecurity consulting shop, said he doubts the bill will pass. “Even if it does, it won’t mean what you might think. It won’t create a SOX style environment around cyber. Sorry,” he wrote on Twitter, referring to Sarbanes-Oxley, a 2002 financial reform enacted in the wake of the Enron scandal to prevent similar accounting blowups.
The main thrust of Williams’ criticism is that the proposed law will box in cybersecurity practitioners and will subjugate and constrain an industry that is still finding its feet. The bill effectively grants corporate governance, risk, and compliance departments the right to “rule infosec,” Williams warned. If it passes into law, it will likely lead to licensing requirements within the cybersecurity industry, akin to the hoops people must jump through to become certified public accountants, he said. “Professional licensure is not good for a profession this young,” he said.
Data privacy reform is long overdue, but this bill presents questions. Is Big Tech—and its CEOs—ready to face the formalized wrath of guillotine-thirsting regulators? Does the bill unfairly target CEOs, leaving other C-Suite executives and board members off the hook? Could companies end up shoving the blame onto scapegoat CEOs of subsidiary businesses? And finally, as Williams noted, is the cybersecurity industry really ready to grow up and professionalize, accepting all the responsibility and regulatory constrictions that entails?
Be careful what you wish for.