A US Congressional Representative from the State of Washington recently reintroduced a bill that would create a nation-wide data privacy standard, to be enforced by the Federal Trade Commission (FTC), that in its latest version is intended to gather bipartisan support by addressing specific Republican concerns. The Information Transparency and Personal Data Control Act, if passed, would replace a patchwork of current state laws and provide an influx of $350 million to the FTC’s budget to enforce these proposed regulations.
"The new DelBene bill marks an interesting start for the relaunch of the effort to advance federal privacy law," says the International Association of Privacy Professionals (IAPP). "Specifically, while coming from the Democrats' side of the aisle, the bill is largely preemptive of state privacy laws and would not allow a private right of action." These two issues have been a lightning rod for Republicans in the past and hindered any attempt to bridge the gap between the two sides in the US Congress this year. "So, it's worth noting that Democrats supporting this bill are making a significant stride to meet Republicans' demands," reports the IAPP.
This current bill is designed to protect a wide swath of personal information by requiring businesses to obtain consumer consent prior to sharing their data, and companies would also be required to write their privacy policies in easy-to-understand language. "With states understandably advancing their own legislation in the absence of federal policy, Congress needs to prioritize creating a strong national standard to protect all Americans," says the US Representative.[1]
This is the fourth time DelBene has attempted to have this legislation enacted. The bill currently has no Republican co-sponsors. If passed, the bill would require the FTC to hire 500 additional employees who would focus on privacy and data security issues, 50 of whom must have technical expertise in the area. Exactly what this would entail, however, is not further defined. The bill also calls for the FTC to receive $350 million to implement the plan. "This will place the FTC at the forefront of the global regulatory effort to implement data protection laws and develop privacy policies," the IAPP says.
The sensitive information covered by the bill includes financial, health, genetic, biometric and geolocation data; sexual orientation; citizenship and immigration status; Social Security number and religious belief. It would also offer extra protection to the data of children under 13 years old. If passed, the bill calls for creating a balanced, high-standard digital privacy framework that complements global standards and a strong national standard to combat anti-consumer practices. It also requires the federal government to provide guidance on the proper collection, processing, disclosure, transmission and storage of sensitive data and ensure enforcement authorities have the resources needed to protect consumers. Businesses would be required to submit to a privacy audit every two years conducted by an independent third-party. If adopted, the Information Transparency and Personal Data Control Act would also supplant any similar state legislation currently in use, the bill states.
Unlike the California Consumer Privacy Act and the EU's General Data Protection Regulation, DelBene's bill does not include a fine structure or a breakdown of the type and size of businesses affected. The CCPA, which went into full effect in January 2020, calls for a maximum penalty of $7,500 and is reserved only for intentional violations of the CCPA. Unintentional violations remain subject to a preset $2,500 maximum fine. GDPR, which went into effect May 2018, empowers EU regulators to levy fines of up to 4% of an organization's annual global revenue or 20 million euro ($22.2 million) whichever is greater if they violate Europeans' privacy rights. Under the CCPA and GDPR, individuals also have the right to take civil action against a company, a point that is lacking in the DelBene bill. This proposed bill does, however, give the FTC and all state attorneys general enforcement powers. Once a violation has been brought before the FTC, the offending business has 30 days to rectify the problem before any enforcement action is undertaken.
A state may also bring an action in a case on behalf of a state or its residents after submitting written notification to the FTC, according to a draft of the bill.
Specific Action Items. The bill has six primary requirements:
- Plain English: Requires companies to provide their privacy policies in plain English.
- Opt-in: Allows users to opt-in before companies can use their most sensitive private information in ways they might not expect.
- Disclosure: Increases transparency by requiring companies to disclose if and with whom they will share the consumer's personal information and the purpose of sharing the information.
- Preemption: Creates a unified national standard and avoids a patchwork of different privacy standards by preempting conflicting state laws.
- Enforcement: Gives the FTC strong rulemaking authority to keep up with evolving digital trends and the ability to fine bad actors on the first offense. It also empowers state attorneys general to pursue violations if the FTC chooses not to act.
- Audits: Establishes strong "privacy hygiene" by requiring companies to submit privacy audits every two years from a neutral third party.
In the absence of federal regulations, privacy legislation is in motion this year in Minnesota, New York, Washington and Oklahoma. If the other bills are passed, this would bring the number of states with their own privacy standards to eight, as California, Nevada and Maine have previously adopted such standards, and Virginia passed its Consumer Data Protection Act on 2 March. Most bills being considered at the state level are modeled on the recently instituted California Privacy Rights Act and Washington state's privacy.
Red Sky Alliance has been has analyzing and documenting these type of cyber threats for 9 years and maintains a resource library of malware and cyber actor reports available at https://redskyalliance.org at no charge. Many past tactics are often dusted off and reused in current malicious campaigns – like REvil.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or feedback@wapacklabs.com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www.redskyalliance.org/
- Website: https://www.wapacklabs.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://attendee.gotowebinar.com/register/3702558539639477516
[1] https://www.bankinfosecurity.com/federal-privacy-bill-reintroduced-in-congress-a-16178
Comments