Bill targets credit reporting agencies for consumer data leaks

On Tuesday, U.S. Sens. Mark Warner (D-Va.) and Elizabeth Warren (D-Mass.) introduced the Data Breach Prevention and Compensation Act, legislation intended to hold large credit reporting agencies (CRAs)—including Equifax—accountable for data breaches involving consumer data.

The bill would give the Federal Trade Commission more direct supervisory authority over data security at CRAs, impose mandatory penalties on CRAs that fail to protect consumer data, and provide robust compensation to consumers for stolen data.

In September 2017, Equifax announced that hackers had stolen sensitive personal information – including Social Security numbers, birth dates, credit card numbers, driver’s license numbers, and passport numbers – of more than 145 million Americans. Since 2013, Equifax has disclosed at least four separate hacks in which sensitive personal data was compromised.

“In today’s information economy, data is an enormous asset. But if companies like Equifax can’t properly safeguard the enormous amounts of highly sensitive data they are collecting and centralizing, then they shouldn’t be collecting it in the first place,” Warner said in a statement.

 “Our bill imposes massive and mandatory penalties for data breaches at companies like Equifax,” Warren promised.

The Data Breach Prevention and Compensation Act would create an Office of Cybersecurity at the FTC tasked with annual inspections and supervision of cybersecurity at CRAs. It would impose mandatory, strict liability penalties for breaches of consumer data beginning with a base penalty of $100 for each consumer who had one piece of personal identifying information (PII) compromised and another $50 for each additional PII compromised per consumer.

Under current law, it is difficult for consumers to get compensation when their personal data is stolen. Typical awards range from $1 to $2 per consumer. The bill would also require the FTC to use 50 percent of its penalty to compensate consumers and would increase penalties in cases “of woefully inadequate cyber-security or if a CRA fails to timely notify the FTC of a breach.”