Credit reporting agencies would pay hefty fines for data breaches under legislation introduced this month by a group of Democratic lawmakers.
Inspired by the massive 2017 data breach at Equifax, the Data Breach Prevention and Compensation Act would require minimum penalties of $100 per consumer affected by a breach at a credit reporting firm. The bill would create an additional fine of $50 for each additional piece of personal information compromised, with a cap at 50% of a company’s gross revenue from the previous year, except when the credit reporting firm has inadequate security controls in place. If the company doesn’t comply with the Federal Trade Commission’s data security standards, or if it fails to notify the agency of the breach in a timely manner, the potential fines are doubled, with the cap raised to 75% of the previous year’s revenue. Lawmakers introduced a similar bill in 2018, but Congress didn’t act on it.
If the bill had been in place during the Equifax breach, the company would have faced fines of at least $1.5 billion, said Sen. Elizabeth Warren, D-Mass., a primary sponsor of the bill.
The bill is necessary to protect consumers against breaches at companies that hold a wealth of personal information, its sponsors said. The Equifax breach affected about 143 million U.S. residents.
[Related: Trump dismisses Elizabeth Warren as ‘an angry person’]
“It’s been nearly two years since Equifax put more than half of the adults in this country at risk by opening the doors to hackers,” Warren said in a statement. “Our bill would hold companies like Equifax accountable for failing to protect consumer data, compensate consumers injured by these breaches, and help ensure that these breaches never happen again.”
On the day lawmakers introduced the bill, its sponsors also released a report detailing ongoing problems related to the Equifax breach. There has been a “dramatic spike” in the number of consumer complaints filed against the company since the breach, the report says.
Several privacy groups praised the legislation, and U.S. residents seem to support fines for data breaches, noted a representative of Snowflake, a provider of cloud-based data warehouse services. In an April survey conducted for the company, 63% of respondents said they believe consumers affected by a data breach are entitled to financial compensation, and 62% said the company responsible for the breaches should be financially punished.
But some observers questioned why the bill targets only credit reporting agencies. Data aggregators and other companies that store personal information should also be held accountable for property security, said Michael Magrath, director of global regulations and standards at cybersecurity vendor OneSpan. However, “singling out the credit reporting agencies certainly draws attention,” he added.
[Also read: Elizabeth Warren calls for free college, sweeping student loan forgiveness program]
Other organizations holding a lot of personal information, including insurance companies, healthcare providers, and government agencies, have also been breached, he noted. The bill “should encompass all industries, and any fines and other penalties should factor in negligence and noncompliance with regulations,” he added.
A $1.5 billion fine to Equifax could potentially drive the company out of business, added Dan Tuchler, chief marketing officer at SecurityFirst, another cybersecurity vendor. “Is that in the best interest of consumers?” he said. “The bill’s authors should take another look at this level of penalty.”
Tuchler said he supports fines as incentives for companies to take data privacy seriously. “However, it’s not clear why lawmakers are choosing to single out credit reporting agencies,” he added. “We’d encourage a broader and more thoughtful approach targeting companies that have not yet had a breach.”
Equifax didn’t respond to requests for comment on the bill. But Francis Creighton, president and CEO of the trade group Consumer Data Industry Association, said credit reporting agencies shouldn’t be singled out for fines.
“We recognize we play a special role in the economy,” but data breach penalties should apply to all organizations that hold consumer data, he said.
In addition to the fines, the bill would also establish an office of cybersecurity at the Federal Trade Commission, and the office would be required to conduct annual inspections of credit reporting agencies.
