Congress Reintroduces Bill to Fine Credit Bureaus for Data Breaches
Back in 2017, Equifax — one of three major credit bureaus in the United States — experienced a massive breach. As a result an estimated 147 million Americans saw private data exposed, making them vulnerable to identity theft and other dangers. And while the fallout from this event has led to some changes, such as consumers being allowed to freeze their credit reports for free, many felt that Equifax themselves managed to escape punishment for the incident. Now, in response, Democrats in Congress are reintroducing a new bill that would impose fines on credit bureaus who fail to protect consumer data.
Proposed by Senator and 2020 presidential hopeful Elizabeth Warren alongside Senator Mark Warner and Representatives Elijah Cummings and Raja Krishnamoorthi, the Data Breach Prevention and Compensation Act would seek to penalize credit bureaus for breaches such as the Equifax hack. According to Axios, in its current form, the bill calls for bureaus to pay a base of $100 to any person that had at least one piece of information exposed as part of a breach, as well as another $50 for each additional piece of private data stolen. Under these terms it’s estimated that Equifax would have had to pay out $1.5 billion to consumers were this law enacted prior to that breach.
Axios notes that the bill includes a wide-reaching definition of a breach, including “exposure of information to an unauthorized party.” Also notable is that the legislation would create an Office of Cybersecurity at the Federal Trade Commission. Lastly there are some exceptions to how large fines can grow. For one, penalties would only be enforced against companies with annual revenues of $7 million or more. Additionally imposed fines would not be allowed to exceed 50% of revenue.
In a statement about the bill, Senator Warren stated, “It’s been nearly two years since Equifax put more than half of the adults in this country at risk by opening the doors to hackers, and this new report shows that this problem is far from fixed. Our bill would hold companies like Equifax accountable for failing to protect consumer data, compensate consumers injured by these breaches, and help ensure that these breaches never happen again.” Those sentiments were echoed by her colleague Senator Warner who said, “As personal data becomes more and more valuable in today’s information economy, and the scale and impact to consumers of mega-breaches increase, there need to be increased consequences for companies like Equifax that mishandle or neglect to properly safeguard consumer data. By imposing strict penalties for data breaches and facilitating compensations for affected Americans, this legislation will increase accountability and help ensure that credit reporting agencies actively prioritize the security of sensitive consumer information.”
Given the scope of the Equifax hack, it’s really no surprise that legislators are seeking solutions to prevent (or at least punish) repeat performances. Even still, that doesn’t mean that this version of the bill will be able to get off the ground — especially with the current divided Congress. While some form of data breach oversight seems inevitable, time will tell whether the Data Breach Prevention and Compensation Act will become law or not.