Senator Ron Wyden [D-OR] (previously) has introduced the Consumer Data Protection Act, which extends personal criminal liability to the CEOs of companies worth more than $1B or who hold data on more than 50,000,000 people who knowingly mislead the FTC in a newly mandated system of annual reports on the steps the company has taken to secure the data.
CEOs whose companies lie to the FTC about these measures will face 20 years in prison and $5 million in fines for breaches.
This reminds me of the criminal liability regime in the Sarbanes-Oxley bill passed after the Enron scandal, which threatened jail sentences for CEOs who signed their name to false financial statements and had far-reaching consequences (for example, record labels had been routinely running "third shift" pressings to produce extra, off-the-books copies of popular CDs that would be sold in record stores but without sending any royalties to the musicians involved -- after SOX, this came to an abrupt halt).
It turns out that when the CEO's freedom is on the line, businesses manage to create really effective policies to accomplish whatever it is the company needs to do to keep the CEO out of prison: "Depend upon it, sir, when a man knows he is to be hanged in a fortnight, it concentrates his mind wonderfully."
Read the restFrom Facebook's Cambridge Analytica scandal to Verizon getting busted covertly tracking wireless users around the internet, it has become clear there's not much in the way of genuine accountability or transparency when it comes to cavalier treatment of user data.
