Senator Ron Wyden (D) of Oregon has filed a bill that specifies steep fines and even 20-year prison terms for company officers whose firms violate the privacy of American citizens. The bill is unlikely to make it out of the Senate.
John Brodkin reported on the proposed bill in Ars Technica:
Besides giving the FTC new powers, the bill would let the agency hire another 175 staffers “to police the largely unregulated market for private data,” Wyden’s bill summary says.
Under the proposed law, executives could be “fined not more than $5,000,000 or 25 percent of the largest amount of annual compensation the person received during the previous 3-year period from the covered entity, prisoned not more than 20 years, or both,” the bill says.
[…]
Companies with at least $1 billion in annual revenue that store, share, or use personal information on more than 1 million consumers or consumer devices would have to file an annual data protection report certifying their compliance with the law. Companies that store, share, or use personal information on more than 50 million consumers or consumer devices would also need to submit these reports, regardless of how much revenue they make.
These data protection reports would have to be certified by a company’s CEO, chief privacy officer, or chief information security officer. The proposed law’s fines and prison sentences would apply to executives who certify statements in annual reports that don’t meet all the requirements. Prison sentences would be limited to 10 years for unintentional violations but could go up to 20 years for intentional violations. Similarly, fines issued to executives would be limited to the greater of $1 million or 5 percent of their annual compensation for unintentional violations, and go up to the greater of $5 million or 25 percent of their annual compensation for intentional violations.
