Oregon’s Wyden Pitches Jail Time for Breaches

U.S. Sen. Ron Wyden has proposed legislation that would give the Federal Trade Commission the authority to establish privacy and cybersecurity standards while imposing fines — and potentially jail time — for companies and executives who violate them.

by Mike Rogoway, The Oregonian / February 7, 2019
U.S. Sen. Ron Wyden Shutterstock/Diego G Diaz

(TNS) — Privacy breaches that expose social media profiles, bank accounts, online photos and personal Internet activity have become endemic.

Incensed, Oregon’s senior U.S. senator is pitching jail time and billions in fines for companies or executives who enable such breaches.

To Sen. Ron Wyden, the privacy failures are analogous to the corporate fraud and accounting scandals behind the collapse of Enron and WorldCom. So Wyden wants new federal privacy protections analogous to the rules that govern corporate executives’ conduct.

The Democratic lawmaker recently introduced a bill that would give the Federal Trade Commission the authority to establish privacy and cybersecurity standards. The bill would impose levy steep fines – even jail time – for companies and executives who misrepresent their compliance.

“The point is the Federal Trade Commission on privacy issues thus far has basically been toothless,” Wyden said in an interview with The Oregonian/OregonLive. “I am trying to recreate this agency for the digital era.”

The 38-page bill’s provisions would:

  • Establish a “do not track” option for people using online services. In lieu of allowing their search history, social media favorites and online activity to be sold to advertisers, people could opt to pay an unspecified fee to preserve their privacy.
  • Authorize the FTC to establish privacy and cybersecurity standards and require big companies to report annually on their privacy practices.
  • Penalize large companies that submit false information in their annual privacy report. Penalties could amount to 4 percent of annual revenue – a number that could run in the billions of dollars for the biggest social media companies. Executives could face jail time up to 20 years.
  • Require companies to assess their algorithms for accuracy, fairness, bias and discrimination.

“What we are essentially advocating is what the big financial services firms have to do under Sarbanes-Oxley,” Wyden said.

That’s a controversial 2002 law designed to prevent corporate fraud by requiring publicly traded companies to take steps to ensure the accuracy of their financial reports and mandating that top executives take personal responsibility for their veracity.

As a member of the Senate’s minority party during a hyper-partisan era, Wyden faces long odds in getting his bill passed. He introduced the bill last fall and it has made little headway in the intervening months.

But he’s hoping persistent consumer outrage about privacy violations could give it additional traction, coupled with support from within the tech industry itself.

Facebook, Google and other companies that rely on online advertising have resisted limits on how they can use personal data. Neither of those big companies responded to requests for comment on the bill.

But others less reliant on Internet advertising, notably Apple, have called for comprehensive digital privacy laws. And in a statement provided by Wyden’s office, chipmaker Intel endorsed his work on privacy.

“The bill is a tremendous step towards effective comprehensive U.S. privacy legislation,” said

David Hoffman, Intel’s associate general counsel and global privacy officer. “Providing more authority and resources to the U.S. Federal Trade Commission is a critical foundation for robust privacy protection.”

The bill’s eye-popping penalties are reserved for large companies and wouldn’t apply to privacy violations themselves. Rather, companies would face the penalties when they submit false statements about their privacy practices.

Still, Technology Association of Oregon chief executive Skip Newberry said some of his members have expressed concerns about the very significant penalties. He and other members met with representatives from Wyden’s office in Washington, D.C., on Tuesday and discussed the bill.

“My impression from today's meeting is his office is interested in connecting with small and medium-sized tech companies on the Do-Not-Track privacy bill in addition to their on-going conversations with larger tech companies,” Newberry wrote in an email. “We will be working with their Oregon field office to solicit input from our members.”

©2019 The Oregonian (Portland, Ore.). Distributed by Tribune Content Agency, LLC.