Jan 10, 2018

Democrats want penalties for breaches at credit reporting agencies

Senators Mark Warner and Elizabeth Warren.

Senators Mark Warner and Elizabeth Warren. Photo: T.J. Kirkpatrick / Bloomberg via Getty Images

Sens. Elizabeth Warren and Mark Warner introduced a bill today that would allow the Federal Trade Commission to slap penalties on credit reporting agencies (CRAs), like Equifax, when they have inadequate cybersecurity, when their data is breached, and when they don’t report those breaches in a timely manner. It also includes measures to compensate consumers whose data is compromised.

Why it matters: Equifax’s massive breach, announced last September, compromised over 145 million Americans’ personal identifying information, including Social Security Numbers, credit card numbers, and driver’s license numbers.

Although Democrats and Republicans alike grilled executives from Equifax on the breach last fall, bills that would have compensated affected consumers went nowhere.

Between the lines:

  • Warner has floated the idea that federal data breach laws could be recrafted to address different industry-specific needs, per Politico’s Martin Matishak.
  • It’s no shocker that the bill comes from two Democrats — states currently have different rules on reporting breaches, and Republican support for a proposal that would allow the federal government to preempt those state rules will likely be difficult to secure.

The bill, known as the “Data Breach Prevention and Compensation Act,” is about maintaining Americans’ access to credit in spite of a company’s data breach for Senator Warner. “This bill will ensure that companies like Equifax…are taking appropriate steps to secure data that’s central to Americans’ identity management and access to credit.”

  • The bottom line, per Senator Warren: “If companies like Equifax can’t properly safeguard the enormous amounts of highly sensitive data they are collecting and centralizing, then they shouldn’t be collecting it in the first place.”
  • It would create an Office of Cybersecurity at the FTC, which would conduct annual inspections of cybersecurity at CRAs.
  • Proposed penalties: In cases of “woefully inadequate cybersecurity” or failure to notify, the Senators propose fining doubly the automatic per consumer penalties, and increase the maximum penalty to 75% of the company’s gross revenue.
  • Proposed compensation: A base penalty of $100 per consumer who had one piece of personal identifying information (PII) breached, and $50 for each additional one. Normally, consumers will receive $1 or $2 back, per the Senators.
  • The bill would also force CRAs to return half of what they pay to the government back to consumers.
Go deeper