> I strongly suspect the only people criminally prosecuted under such a bill will be patsies
The only people that can be prosecuted under it are the chief executive officer, the chief privacy officer, and the chief information security officer.
The thing that is criminal under this bill and thus can subject them to prosecution is, despite what most news stories imply, not violating privacy.
The bill requires the company to file an annual privacy report with the FTC. The aforementioned three offices are required to provide a written certification to accompany that filing certifying that the report follows the rules of the bill.
The crime is certifying a report that they know does not follow the rules.
The annual report has to describe in detail whether the company complied with the regulations in accordance with subparagraphs (A) and (B) of section 7(b)(1), and to the extent that the company did not list which regulations were violated and how many consumer's personal information was impacted.
7(b)(1)(A) requires the company "to establish and implement reasonable cyber security and privacy policies, practices, and procedures to protect personal information used, stored, or shared by the covered entity from improper access, disclosure, exposure, or use".
7(b)(1)(B) requires the company "to implement reasonable physical, technical, and organizational measures to ensure that technologies or products used, produced, sold, offered, or leased by the covered entity that the covered entity knows or has reason to believe store, process, or otherwise interact with personal information are built and function consistently with reasonable data protection practices".
To be criminally liable the officer has to certify the report "knowing that the annual report accompanying the statement does not comport with all the requirements set forth in this section".
In other words, to be criminally liable the officer has to lie to the FTC.
The main risk it seems to me is that the officers might be given false information from underlings, leading the officers to believe the report is accurate when it is not. If the FTC discovers this, their initial suspicion will be that the officers were the ones that lied. If the officers keep good records of where they got the information they relied on when certifying the report, they should be OK, although it will certainly be something of a hassle.
This only applies at companies with $1 billion or more in annual revenue that deals with personal information on more then 1 million consumers or consumer devices, or that deals with personal information on more them 50 million consumers or devices.
I'd expect a CPO or CISO at such a place is paid well enough to handle this.
The only people that can be prosecuted under it are the chief executive officer, the chief privacy officer, and the chief information security officer.
The thing that is criminal under this bill and thus can subject them to prosecution is, despite what most news stories imply, not violating privacy.
The bill requires the company to file an annual privacy report with the FTC. The aforementioned three offices are required to provide a written certification to accompany that filing certifying that the report follows the rules of the bill.
The crime is certifying a report that they know does not follow the rules.
Draft text of bill: https://www.wyden.senate.gov/imo/media/doc/Wyden%20Privacy%2...