Sens. Elizabeth Warren (D-Mass.) and Mark Warner (D-Va.) are hoping to avoid a repeat of last year’s massive Equifax [EFX] data breach with a new bill to impose financial penalties against credit reporting agencies (CRAs) who lose consumer’s private information.
The Data Breach Prevention and Compensation Act, introduced Wednesday, grants the Federal Trade Commission (FTC) greater oversight of CRAs cyber security efforts and mandates the agency levy stricter penalties to those who fail to protect sensitive data.
“In today’s information economy, data is an enormous asset. But if companies like Equifax can’t properly safeguard the enormous amounts of highly sensitive data they are collecting and centralizing, then they shouldn’t be collecting it in the first place,” Warner said in a statement. “This bill will ensure that companies like Equifax – which gather vast amounts of information on American consumers, often without their knowledge – are taking appropriate steps to secure data that’s central to Americans’ identity management and access to credit.”
The Equifax breach resulted in the loss of 145 million Americans’ data. Security officials have previously voiced concern that a lack of standardized, harsher penalties leaves little incentive for CRAs to bolster their cyber security practices or investments (Defense Daily, Oct. 6).
No agency currently has a mandated set of penalties they must impose against CRAs when they allow consumer data collected without consent to be compromised.
Warren and Warner’s bill mandates the FTC to impose a base penalty of $100 for each consumer who has their personal information compromised.
Had the bill been in place during the Equifax breach, the company would have paid a penalty of at least $1.5 billion.
Under the legislation, the FTC would be required to use half of the collected fines to compensate affected consumers.
“Our bill imposes massive and mandatory penalties for data breaches at companies like Equifax, and provides robust compensation for affected consumers, which will put money back into peoples’ pockets and help stop these kinds of breaches from happening again,” Warren said in the statement.
The bill caps maximum penalties at 50 percent of the CRA’s gross revenue from the year before the cyber attack.
CRAs would also be subject to annual cyber inspections by a newly established FTC Office of Cybersecurity. Companies with inadequate data security standards would face greater penalties in the event of a breach.
The senators’ bill has been well received by consumer protection and privacy groups as a step toward holding CRAs accountable for the large amounts of critical data they hold.
“The credit bureaus are different from retailers or other entities that could be breached. They hold a treasure trove of personal information valuable to identity thieves, but have long demonstrated a disdain for consumers, who they treat as products, not customers. In years of seeking to bring the credit bureaus to heel, I am more and more convinced that hitting them in the wallet, as this bill does, is the best way forward,” Ed Mierzwinski, program director for the U.S. Public Interest Research Group consumer program, said in a statement.
Last week a group of banking and retail associations sent a letter House leadership calling for similar legislation to standardize cyber attack response protocols (Defense Daily, Jan. 5).
“Senator Warner and Senator Warren have proposed a concrete response to a serious problem facing American consumers,” Marc Rotenberg, president of the Electronic Privacy Information Center, said in a statement.