A group of 15 Senators has introduced the Data Care Act, a measure designed to protect Americans information online and penalize companies that do not properly safeguard such data.
The Data Care Act, introduced by Sen. Brian Schatz, D-Hawaii, would require websites, apps, and other online providers to take responsible steps to safeguard personal information and stop the misuse of users’ data. The bill tasks the Federal Trade Commission with creating a set of ground rules for how companies which gather and digitally store sensitive personal information on their customers must protect that data. The type of information includes:
• Social Security driver’s license, passport or military identification number
• Financial account number, credit or debit card number, or any required security code, access code, or password that is necessary to permit access to a financial account of an individual.
• Unique biometric data such as a fingerprint, voice print, a retina or iris image, any other unique physical representation.
• Account information such as username and password, email address and password; the first and last name of an individual, or first initial and last name, or other unique identifier in combination with— the month, day, and year of birth.
“People have a basic expectation that the personal information they provide to websites and apps is well-protected and won’t be used against them. Our bill will help make sure that when people give online companies their information, it won’t be exploited,” said Schatz.
Any company entrusted with such data will have a list of responsibilities, including reasonably securing PII, may not use individual identifying data, or use data derived from individual identifying data, in any way that will benefit the online service provider to the detriment of an end user. Finally, a company must promptly inform an end user of a data breach - although a time frame was not noted in the bill.
Personal information would also be protected from being sold or disclosed in any manner unless the end user agrees.
While a specific dollar penalty is not listed in the bill for companies who violate the act, there is a formula in place to derive a civil financial punishment.
The penalty will be calculated by multiplying “the greater of the number of days during which the online service provider was not in compliance with that section; or the number of end users who were harmed as a result of the violation, by an amount not to exceed the maximum civil penalty for which a person, partnership, or corporation may be liable under section of the Federal Trade Commission Act.”
The non-profit Public Knowledge, which promotes freedom of expression, an open internet, and access to affordable communications tools, stated that while it backs the Data Care Act, it has some reservations regarding certain details.
“For example, the bill would only stop companies from using personal data for their own benefit at consumers’ expense when it will result in reasonably foreseeable, material physical or financial harm. This list of harms is woefully incomplete. Similarly, the bill only requires companies to notify end users of a data breach when ‘sensitive’ data are breached -- this list is too limited to be effective, said Allie Bohm, Policy Counsel at Public Knowledge.
Additional sponsors include Sens. Maggie Hassan, D-N.H., Michael Bennet, D-Colo., Tammy Duckworth, D-Ill., Amy Klobuchar, D-Minn., Patty Murray, D-Wash., Cory Booker, D-N.J., Catherine Cortez Masto, D-Nev., Martin Heinrich, D-N.M., Ed Markey, D-Mass., Sherrod Brown, D-Ohio, Tammy Baldwin, D-Wis., Doug Jones, D-Ala., Joe Manchin, D-W.Va., and Dick Durbin, D-Ill.