Go to:

February 2019
< Jan Mar >
Leaguer Email Subscription

You are not currently subscribed. Click Subscribe below to receive the Leaguer email.

Federal Legislation Introduced to Hold Credit Reporting Agencies Accountable for Data Breaches
Thursday, January 11, 2018 6:40 AM

Sens. Elizabeth Warren (D-Mass.) and Mark Warner (D-Va.) introduced the Data Breach Prevention and Compensation Act of 2018 yesterday to hold large credit reporting agencies (CRAs) accountable for data breaches involving consumer data. The bill would provide the Federal Trade Commission more direct supervisory authority over data security at CRAs, impose mandatory penalties on CRAs to incentivize adequate protection of consumer data, and provide robust compensation to consumers for stolen data.

The September 2017 Equifax breach of more than 145 million Americans revealed that CRAs hold vast amounts of data on millions of Americans but lack adequate safeguards against hackers. Since 2013, Equifax has disclosed at least four separate hacks in which sensitive personal data were compromised.

The Data Breach Prevention and Compensation Act of 2018 seeks to establish an Office of Cybersecurity at the FTC tasked with annual inspections and supervision of cybersecurity at CRAs. It would impose mandatory, strict liability penalties for breaches of consumer data beginning with a base penalty of $100 for each consumer who had one piece of personal identifying information (PII) compromised and another $50 for each additional PII compromised per consumer. 

Under this legislation, Equifax would have had to pay at least a $1.5 billion penalty for their failure to protect Americans' personal information. To ensure robust recovery for affected consumers, the bill would also require the FTC to use 50 percent of its penalty to compensate consumers and would increase penalties in cases of woefully inadequate cybersecurity or if a CRA fails to timely notify the FTC of a breach.

"The financial incentives here are all out of whack. Equifax allowed personal data on more than half the adults in the country to get stolen, and its legal liability is so limited that it may end up making money off the breach," said Warren. "Our bill imposes massive and mandatory penalties for data breaches at companies like Equifax, and provides robust compensation for affected consumers, which will put money back into peoples' pockets and help stop these kinds of breaches from happening again."

A fact sheet about the legislation may be viewed here. The bill text is available here.