March 25, 2023

Volume XIII, Number 84


March 24, 2023

Subscribe to Latest Legal News and Analysis

March 23, 2023

Subscribe to Latest Legal News and Analysis

March 22, 2023

Subscribe to Latest Legal News and Analysis

The Data Care Act of 2018

A new bill in the Senate proposes to hold large tech companies, specifically “online service providers”, responsible for the protection of personal information in the same way banks, lawyers and hospitals are held responsible. The Data Care Act of 2018, which was introduced on December 12, 2018, is designed to protect users information online and penalize companies that do not properly safeguard such data.

Personal data under the bill includes:

  • Social Security number,

  • Driver’s license number,

  • Passport or military identification number

  • Financial account number, credit or debit card number with the access code or password necessary to permit access to the financial account

  • Unique biometric data, including a fingerprint, voice print, retina image or other unique physical representation

  • Account information such as user name and password or email address and password

  • First and last name of an individual or first initial and last name, in combination with data of birth.

The bill would also protect personal information from being sold or disclosed unless the end user agrees.

The bill is seen as part of a broader push to enact federal privacy legislation, in part to prevent more states from enacting their own privacy legislation, similar to recent moves in California and Illinois.

The bill was introduced by Senator Brian Schatz (D-HI), the Ranking Member of the Communications, Technology, Innovation, and the Internet Subcommittee. The bill was co-sponsored by 14 Senate Democrats.

Senator Schatz stated in a press release that people “have a basic expectation that the personal information they provide to websites and apps is well-protected and won’t be used against them. Just as doctors and lawyers are expected to protect and responsibly use the personal data they hold, online companies should be required to do the same.”

The bill would be defined and enforced by the Federal Trade Commission. It would establish three basic duties, including the duty of care, the duty of loyalty and the duty of confidentiality. If passed, the FTC would go through the normal notice and comment rulemaking process to further establish how authorities will define, implement and enforce concepts like “reasonable” security measures.

There have been no shortage of federal initiatives seeking heightened protection for consumer personal data in the past couple of years, in particular since enactment of the EU’s GDPR, and its only a matter of time before one of them finally sticks.

Jackson Lewis P.C. © 2023National Law Review, Volume VIII, Number 361

About this Author

Rachel Ehlers Data Privacy Cybersecurity Lawyer
Of Councel

Rachel E. Ehlers is Of Counsel in the Austin, Texas, office of Jackson Lewis P.C. She specializes in corporate governance and internal investigations, data privacy and cybersecurity, and workplace training. She has served in multiple in-house legal and compliance roles, in all sizes of companies—from startups to Fortune 500 companies.

Ms. Ehlers has extensive experience conducting internal investigations, as well as advising companies on government investigations involving harassment and discrimination, Code of Conduct violations, anti-bribery, including the...