Ahead of Europe's implementation of GDPR in May, newly proposed legislation introduced in the US by two Democratic US senators aims to impose stiff, mandatory penalties on credit reporting agencies (CRAs) that fail to protect consumers' sensitive information from data breaches.
Had such a law been in place when Equifax acknowledged a massive 2017 breach impacting more than 145 million Americans, the agency would have been required to pay at least £1.1 billion in penalties, half of which would have gone toward compensating victims, according to a 10 January press release issued by the bill's creators, Senators Elizabeth Warren (D-Mass.) and Mark Warner (D-Virg.).
Under the terms of the senators' Data Breach Prevention and Compensation Act, the US Federal Trade Commission would create an Office of Cyber-security, responsible for promulgating CRA data security regulations, and conducting annual inspections and oversight of these agencies.
The legislation further dictates that breached CRAs must shell out £74 for each consumer who has one piece of personally identifying information compromised, and an additional £37 for every additional piece of PII per consumer – with a maximum payout set at 50 percent of the agency's gross revenue from the previous year.
However, in cases where a CRA fails to meet FTC data security standards or doesn't notify the FTC of a breach within 10 days, the penalties would double and the maximum payout would increase to 75 percent of the prior year's gross revenue.
This financial penalty would be distributed to the FTC, which would allocate 50 percent of the funds toward restitution of aggrieved consumers, and the remaining 50 percent toward cyber-security research and inspections.
“Equifax allowed personal data on more than half the adults in the country to get stolen, and its legal liability is so limited that it may end up making money off the breach,” said Warren in the press release. “Our bill imposes massive and mandatory penalties for data breaches at companies like Equifax, and provides robust compensation for affected consumers which will put money back into peoples' pockets and help stop these kinds of breaches from happening again.”
“This bill will ensure that companies like Equifax – which gather vast amounts of information on American consumers, often without their knowledge – are taking appropriate steps to secure data that's central to Americans' identity management and access to credit,” added Warner, in the release.
The legislation has already garnered the endorsement of officials at multiple consumer advocacy bodies, including the US Public Interest Research Group (PIRG), the Electronic Privacy Information Center, and the Consumer Federation of America.
“This bill establishes much-needed protections for data security for the credit bureaus,” said National Consumer Law Center staff attorney Chi Chi Wu, in the senators' press release. “It also imposes real and meaningful penalties when credit bureaus, entrusted with our most sensitive financial information, break that trust.”
In September 2017, Warren co-introduced another bill, the Freedom from Equifax Exploitation (FREE) Act, which would give consumers more control over their credit and personal data and help prevent future incidents, as well as put strictures in place to keep credit monitoring companies from profiting off breaches in part by preventing them from selling information during a credit freeze.