CISOs and CEOs in Jail? Senator Proposes Hard Time for Leaders Who Ignore Privacy and Cybersecurity

Cybersecurity and privacy are joined at the hip.

We keep hearing about that from security leaders at SecureWorld conferences.

Jail time for cybersecurity and privacy executives

Now there is talk in Washington D.C. that failure to uphold either privacy or cybersecurity could land corporate leadership in jail—for decades. And by corporate leaders, we mean Chief Executive Officers, Chief Privacy Officers, and Chief Information Security Officers.

U.S. Senator Ron Wyden (D-Oregon) has just proposed a bill that would correct what he calls "corporations’ lax cybersecurity and poor oversight of commercial data-sharing partnerships...." 

By the way, did we forget to mention the GDPR-style fines of up to four times the annual revenue for corporations?

Wyden is always poking and prodding on cybersecurity and privacy issues. He complained about sweeping surveillance under the U.S. Patriot Act, beat the drum on secret listening devices being discovered around Washington D.C., and pushed for special cybersecurity for U.S. Senators and their devices.

Here is what the Senator is proposing now:

1. Establish minimum privacy and cybersecurity standards.
2. Issue steep fines (up to 4% of annual revenue) on the first offense for companies, and 10- to 20-year criminal penalties for senior executives.
3. Create a national Do Not Track system that lets consumers stop third-party companies from tracking them on the web by sharing data, selling data, or targeting advertisements based on their personal information. It would permit companies to charge consumers who want to use their products and services but don’t want their information monetized.
4. Give consumers a way to review what personal information a company has about them, learn with whom it has been shared or sold, and challenge inaccuracies in it.
5. Hire 175 more federal staff to police the largely unregulated market for private data.
6. Require companies to assess the algorithms that process consumer data to examine their impact on accuracy, fairness, bias, discrimination, privacy, and security.

Wyden is calling his bill the Consumer Data Protection Act of 2018, and he claims to want your input. Send your ideas to PrivacyBillComments@wyden.senate.gov.

You might want to read these documents first:1-page overview of the national cybersecurity and privacy Senate Bill

Full cybersecurity and privacy bill: Consumer Data Protection Act of 2018

If this bill gains traction, we can only imagine what SecureWorld's Advisory Council members will have to say about it in 2019.

We promise to keep you posted.

UPDATE 12/4/18: Senator Doubles Down on Proposal