Under the bill, Equifax would have had to pay at least a $1.5 billion penalty for its data breach
A bill that would impose strict penalties on credit reporting agencies for data breaches involving data has been introduced in the Senate.
The Data Breach Prevention and Compensation Act, which was introduced by Senators Elizabeth Warren (D-Mass.) and Mark Warner (D-Va.), would also give the Federal Trade Commission (FTC) more direct supervisory authority over data security at credit reporting agencies.
Under the bill, an Office of Cybersecurity would be established at the FTC. The office would conduct annual inspections and supervision of cybersecurity at credit reporting agencies. Additionally, the office would be required to impose mandatory strict liability penalties for consumer data breaches.
The bill proposes a base penalty of $100 for each consumer who had one piece of personal identifying information (PII) compromised. Another $50 will be meted for each additional PII compromised per consumer.
Additionally, the proposed legislation would require the FTC to use 50% of the penalty to compensate consumers. In cases where the credit reporting agency had inadequate cybersecurity or failed to timely notify the FTC of a breach, the FTC has the power to increase penalties.
The introduction of the bill follows the announcement by Equifax in September 2017 that the data of more than 145 million American consumers were compromised when hackers stole personal information such as Social Security Numbers, birth dates, credit card numbers, driver's license numbers, and passport numbers. Under the bill, Equifax would have had to pay at least a $1.5 billion penalty for the breach.
"The financial incentives here are all out of whack - Equifax allowed personal data on more than half the adults in the country to get stolen, and its legal liability is so limited that it may end up making money off the breach," Warren said. "Our bill imposes massive and mandatory penalties for data breaches at companies like Equifax – and provides robust compensation for affected consumers – which will put money back into peoples' pockets and help stop these kinds of breaches from happening again."
Related stories:
New York launches tough new regs in wake of Equifax breach
Internal review clears 4 Equifax execs from breach-related insider trading allegation
The Data Breach Prevention and Compensation Act, which was introduced by Senators Elizabeth Warren (D-Mass.) and Mark Warner (D-Va.), would also give the Federal Trade Commission (FTC) more direct supervisory authority over data security at credit reporting agencies.
Under the bill, an Office of Cybersecurity would be established at the FTC. The office would conduct annual inspections and supervision of cybersecurity at credit reporting agencies. Additionally, the office would be required to impose mandatory strict liability penalties for consumer data breaches.
The bill proposes a base penalty of $100 for each consumer who had one piece of personal identifying information (PII) compromised. Another $50 will be meted for each additional PII compromised per consumer.
Additionally, the proposed legislation would require the FTC to use 50% of the penalty to compensate consumers. In cases where the credit reporting agency had inadequate cybersecurity or failed to timely notify the FTC of a breach, the FTC has the power to increase penalties.
The introduction of the bill follows the announcement by Equifax in September 2017 that the data of more than 145 million American consumers were compromised when hackers stole personal information such as Social Security Numbers, birth dates, credit card numbers, driver's license numbers, and passport numbers. Under the bill, Equifax would have had to pay at least a $1.5 billion penalty for the breach.
"The financial incentives here are all out of whack - Equifax allowed personal data on more than half the adults in the country to get stolen, and its legal liability is so limited that it may end up making money off the breach," Warren said. "Our bill imposes massive and mandatory penalties for data breaches at companies like Equifax – and provides robust compensation for affected consumers – which will put money back into peoples' pockets and help stop these kinds of breaches from happening again."
Related stories:
New York launches tough new regs in wake of Equifax breach
Internal review clears 4 Equifax execs from breach-related insider trading allegation