We covered this in the recent CyberheistNews, but now there is more detail.
The proposed Consumer Data Protection Act of 2018 looks to put legislative teeth behind the need for all organizations to maintain proper cybersecurity measures.
This latest proposed amendment of the Federal Trade Commission Act by U.S. Senator Ron Wyden (D-Oregon) seeks to address the lax state of cybersecurity throughout organizations, as well put controls in place over the sale and sharing of consumer information.
With 70% of U.S. organizations not identifying as being cyber-ready, matched with a 35% rise in malicious email volume, and targeted attacks rising 85% over last year, most organizations would likely not meet any minimum cybersecurity standards posed in the final version of this Act. Penalties include “steep fines (up to 4% of annual revenue), on the first offense for companies and 10-20 year criminal penalties for senior executives”, according to the Act’s one-page overview.
The good news is the proposed act – in its current draft iteration – only applies to companies with a minimum of $50M in revenue and has at least 1M consumers or devices. However, given the momentum gained by GDPR and the California Consumer Privacy Act in trying to protect consumer information, it’s quite possible to see these minimums lowered to include a larger majority of smaller and mid-market organizations.