Sen. Elizabeth Warren. Photo: Ethan Miller/Getty Images
Democrats in the Senate and House proposed new legislation Tuesday that would impose substantial, mandatory fines for breaches at credit bureaus.
Driving the news: The bill — proposed by Sens. Elizabeth Warren (D-Mass.) and Mark Warner (D-Va.), and Reps. Elijah Cummings (D-Md.) and Raja Krishnamoorthi (D-Il.) — is a response to the massive 2017 Equifax breach. If it was in effect at the time of the breach, the proposed legislation would have fined Equifax at least $1.5 billion, by the lawmakers' tally.
Details: The Data Breach Prevention and Compensation Act would fine credit bureaus $100 for each person with at least one piece of private information stolen in a breach, and $50 for each additional piece.
- The definition of breach appears to be expansive, including any exposure of information to an unauthorized party.
- The bill would additionally open a cybersecurity office in the Federal Trade Commision and require prompt notification of the government of any breach.
- The bill would only apply to companies with revenues of $7 million a year or more, and fines would be limited to 50% of revenue.
Why it matters: Little has been done to impose cost on credit bureaus for cybersecurity negligence since the Equifax breach.
- Credit bureaus are unique: While it's ordinary citizens whose data get compiled by the companies, it's financial services firms — not the citizens — who are the bureaus' customers. Critics believe that means there's little financial incentive outside regulatory oversight for the bureaus to protect data.
The other side: Having credit bureaus may put data at risk, but not having credit bureaus may potentially be worse. Without credit bureaus, there's no quick objective test to determine who should get a mortgage or credit card. In the past, that's made it difficult for poor people and minorities to get those services.