By the Data Security & Privacy Team

Introduced by Senator Brian Schatz (D-HI), the ranking member of the Communications Technology Innovation and Internet Subcommittee of the United States Senate, the Data Care Act of 2018 (the “Act”) seeks to enact Federal privacy legislation that will incentivize “online service providers” to protect certain types of personal data or risk civil penalties brought by both Federal and State agencies.[1]

Introduced to the Senate on December 12, 2018, the Bill was succinctly designed to “establish duties for online service providers with respect to end user data that such providers collect and use.”  The bill defines “online service provider” as any entity that is both “engaged in interstate commerce over the internet…” and “in the course of its business, collects individual identifying data about end users…”  The term “end users” is further defined as any “individual who engages with the online service provider or logs into or uses services provided by the online service provider over the internet or any other digital network.” In other words, anyone that logs into any online network, is now an “end user.” And, almost any entity that affords the opportunity to log into a network becomes an “online service provider” who is now tasked, under threat of concurrent state and federal criminal penalties, with protecting certain types of data. [2]

The following types of information are protected from disclosure under the Act and referred to as “sensitive data:”

  • Social security numbers;
  • First and last names or first initial and last name accompanied by the following:
    • The individual’s year of birth;
    • Mother’s maiden name; or
    • Individual’s geolocation.
  • Biometric data (example: thumb print);
  • User name and password or email address and password;
  • Financial account numbers (example: credit or debit card number);
  • Personal information of minor children (as defined in section 1302 of the Children’s Online Privacy Protection Act of 1998);
  • Driver’s license number, military identification number, passport number or any number issued on a similar item of government identification;
  • Information relating to an individual’s mental or physical health; and
  • Nonpublic communications or user-created content by an individual. [3]

The Act imposes not only a duty of care to “reasonably secure individual identifying information from unauthorized access,” but also a duty of “loyalty,” that “will prevent the reasonably foreseeable material from physical or financial harm to the end user.” The duty of confidentiality further prohibits the “online service provider” from selling or disclosing any information that it keeps on its “end users” and imposes the duty to take reasonable steps to ensure a “duty of care” by entities to which the online service provider discloses or sells information.[4] In the event of the breach, the online service provider must inform the Federal Trade Commission in accordance with 5 U.S.C. § 553. Thus, the Act looks to “online service providers” to police each other.

Consistent with the growing pressure on businesses to institute cybersecurity measures, the Act codifies the ability of multiple states and multiple state agencies to bring civil actions against offenders.  Specifically, the Act permits both state Attorney General’s offices, as well as any other state consumer protection agency, to bring civil actions against any offender without much limiting language.  Accordingly, an online retail distributor qualifying as “online service provider” could face civil and criminal penalties from all 50 states, as well as simultaneous penalties from the Federal Government for the same offense.

If passed, this Act will go into effect within 180 days of its enactment.  With a Federal Government shutdown currently in place without an anticipated opening date, it is unknown when the Act will be signed into law.  However, the political blogs are not anticipating substantial opposition to the act if addressed this year.[5]  Therefore, the Act (along with six similar privacy-specific proposals) is essentially giving a 6 month warning to businesses with an online presence that their failure to stringently protect and adhere to a “duty of loyalty” to their customers could very well result in federal charges and penalties, as well as lawsuits in multiple (if not all 50) states.