Legislation introduced by Sens. Elizabeth Warren (D-Mass)
and Mark Warner (D-Va) is intended to hold large credit reporting agencies
accountable for data breaches involving consumer data. Warren stated
that the bill “imposes massive and mandatory penalties for data breaches at
companies like Equifax—and provides robust compensation for affected
consumers—which will put money back into peoples' pockets and help stop these
kinds of breaches from happening again.”
The DataBreach Prevention and Compensation Act would give the Federal Trade Commission
more direct supervisory authority over data security at credit reporting
agencies (CRAs), impose mandatory penalties on CRAs to incentivize adequate
protection of consumer data, and provide robust compensation to consumers for
stolen data. Warner said, “if companies like Equifax can’t properly safeguard
the enormous amounts of highly sensitive data they are collecting and
centralizing, then they shouldn't be collecting it in the first place.”
In September 2017, Equifax made public a data breach which compromised
the personal information of as many as 143 million Americans. The attack
highlighted that CRAs hold vast amounts of data on millions of Americans but
lack adequate safeguards against hackers, according to Warren. She stated that,
under this legislation, Equifax would have had to pay at least a $1.5 billion
penalty “for their failure to protect Americans’ personal information.”
According to a FactSheet distributed by Warren and Warner, the Data Breach Prevention and
Compensation Act would:
- establish an Office of Cybersecurity at the FTC tasked with annual inspections and supervision of cybersecurity at CRAs;
- impose mandatory, strict liability penalties for breaches of consumer data beginning with a base penalty of $100 for each consumer who had one piece of personal identifying information compromised and another $50 for each additional compromise per consumer;
- require the FTC to use 50 percent of its penalty to compensate consumers and increase penalties in cases of inadequate cybersecurity or if a CRA fails to timely notify the FTC of a breach; and
- double the automatic per-consumer penalties and increase the maximum penalty to 75 percent of the CRA’s gross revenue in cases where the offending CRA fails to comply with the FTC’s data security standards or fails to timely notify the agency of a breach.