CYBER CORNER

A “discussion draft” of a bill recently released by members of both parties in Congress seeks to establish a national data privacy and security standard. This proposed legislation, dubbed the American Privacy Rights Act (the “Act”), incorporates various provisions which attempt to minimize the data that businesses can collect and share, giving the American people the right to exercise greater control over their personal information. 

Under the Act, covered entities and organizations would be required to develop transparent privacy policies and give consumers the opportunity to “opt-out” of having their data collected. Additionally, these entities would be required to establish reasonable data security practices, including but not limited to vulnerability assessments, preventative and corrective actions, information retention and disposal protocols, and incident response planning. The Act also requires covered entities to designate privacy and data security officers and to exercise due diligence in their selection of third-party providers who would also be subject to compliance with the provisions in the Act.
Violations of the Act would be considered an “unfair and deceptive trade practice,” and the Federal Trade Commission (“FTC”) could bring an action against a non-compliant business on that basis. The FTC would also be able to collect penalties as part of judgments or consent orders and deposit them in a victim’s relief fund, suggesting that these damages would be treated as compensatory and not punitive damages under cyber insurance policies. However, the Act would give non-complying businesses thirty-days to fix any deficiencies and thereby avoid enforcement actions. 

For now, covered entities should ensure that they are following current privacy laws and re-examine their coverage for any potential data breach. If enacted into law, enforcement of this Act could leave non-complying businesses open to significant losses.