Washington, DC – United States Senators Elizabeth Warren (D-Mass.) and Mark Warner (D-Va.) this week introduced the Data Breach Prevention and Compensation Act to hold large credit reporting agencies (CRAs) – including Equifax – accountable for data breaches involving consumer data.
The bill would give the Federal Trade Commission (FTC) more direct supervisory authority over data security at credit reporting agencies, impose mandatory penalties on credit reporting agenciesto incentivize adequate protection of consumer data, and provide robust compensation to consumers for stolen data.
In September 2017, Equifax announced that hackers had stolen sensitive personal information – including Social Security Numbers, birth dates, credit card numbers, driver’s license numbers, and passport numbers – of over 145 million Americans.
The attack highlighted that credit reporting agencies hold vast amounts of data on millions of Americans but lack adequate safeguards against hackers.
Since 2013, Equifax has disclosed at least four separate hacks in which sensitive personal data were compromised.
Under this legislation, Equifax would have had to pay at least a $1.5 billion penalty for their failure to protect Americans’ personal information. To ensure robust recovery for affected consumers, the bill would also require the FTC to use 50% of its penalty to compensate consumers and would increase penalties in cases of woefully inadequate cybersecurity or if a credit reporting agencies fails to timely notify the FTC of a breach.
“The financial incentives here are all out of whack – Equifax allowed personal data on more than half the adults in the country to get stolen, and its legal liability is so limited that it may end up making money off the breach,” said Senator Warren, who represents Massachusetts.
. “Our bill imposes massive and mandatory penalties for data breaches at companies like Equifax – and provides robust compensation for affected consumers – which will put money back into peoples’ pockets and help stop these kinds of breaches from happening again,” said Sen. Warren.
“In today’s information economy, data is an enormous asset. But if companies like Equifax can’t properly safeguard the enormous amounts of highly sensitive data they are collecting and centralizing, then they shouldn’t be collecting it in the first place,” said Senator Warner. “This bill will ensure that companies like Equifax – which gather vast amounts of information on American consumers, often without their knowledge – are taking appropriate steps to secure data that’s central to Americans’ identity management and access to credit.”
The Data Breach Prevention and Compensation Act is supported by cybersecurity experts and consumer groups:
“U.S. PIRG commends Senators Warren and Warner for the Data Breach Prevention and Compensation Act. It will ensure that credit bureaus protect your information as if you actually mattered to them and it will both punish them and compensate you when they fail to do so,” said U.S. PIRG Consumer Program Director, Ed Mierzwinski.
“This bill establishes much-needed protections for data security for the credit bureaus. It also imposes real and meaningful penalties when credit bureaus, entrusted with our most sensitive financial information, break that trust,” said National Consumer Law Center staff attorney, Chi Chi Wu.
“Senator Warner and Senator Warren have proposed a concrete response to a serious problem facing American consumers,” said Electronic Privacy Information Center President, Marc Rotenberg.
“This bill creates greater incentive for these companies to handle our data with care and gives the Federal Trade Commission the tools that it needs to hold them accountable,”said Director of Consumer Protection and Privacy at Consumer Federation of America, Susan Grant.
The Data Breach Prevention and Compensation Act addresses this problem by giving the Federal Trade Commission more direct supervisory authority over data security at CRAs and imposing a strict liability penalty regime that will incentivize the largest agencies to adequately protect consumer data and automatically compensate consumers for stolen data. Specifically, the bill:
Imposes strict liability penalties for breaches involving consumer data at credit reporting agencies. CRAs – including Equifax – currently face no mandated penalty for allowing
consumer data to get stolen after they have collected it without consent. This bill would impose mandatory, strict liability penalties for breaches of consumer data at CRAs,
beginning with a base penalty of $100 for each consumer who had one piece of personal identifying information (PII) compromised, with an additional $50 for each additional piece
of PII compromised per consumer. The bill caps the penalty at a maximum of 50% of the CRA’s gross revenue from the prior year.
Ensures robust recovery for affected consumers. Under current law, it is difficult for consumers to get compensation when their personal data is stolen. Typical awards range
from $1 to $2 per consumer. This bill requires the FTC to use 50% of its penalty to compensate consumers.
Establishes an Office of Cybersecurity at the FTC that is tasked with annual inspections and supervision of cybersecurity at CRAs. The FTC currently does not have adequate authority or resources to monitor data security practices at CRAs. This bill establishes a Director and Office of Cybersecurity that would conduct cybersecurity inspections at CRAs and authorizes the FTC to promulgate new regulations outlining effective data security standards for CRAs.
Increases penalties for cases of woefully inadequate cybersecurity or failure to notify. The bill would double the automatic per-consumer penalties and increase the maximum penalty to 75% of the CRA’s gross revenue in cases where the offending CRA fails to comply with the FTC’s data security standards or fails to timely notify the agency of a breach.
Photo and release courtesy of Sen. Elizabeth Warren’s office