Two Democratic senators introduced a bill Wednesday that would provide new regulatory powers for the Federal Trade Commission so that it can punish companies like Equifax and others in the credit reporting industry for poor cybersecurity practices.
The “Data Breach Prevention and Compensation Act” by Sens. Elizabeth Warren, D-Mass., and Mark Warner, D-Va., contains plans for the creation of a “Cybersecurity Office” within the FTC to be led by a career supervisor who will be able to enforce financial penalties on rule breakers. This supervisor would need to maintain relations with the credit reporting industry as the FTC proposes future cybersecurity standards and other related regulations.
The move comes in the wake of the massive data breach at Equifax in 2017, which caused the private records of more than 145 million Americans to be compromised by hackers. A subsequent investigation into the incident by the FBI showed that an outdated piece of web software allowed for the initial intrusion.
Experts say Equifax’s breach was preventable had the credit reporting giant simply followed better “cyber-hygiene” — a patch for the software responsible for the breach became available more than six months before the breach occurred.
Unlike past attempts by their peers to introduce more broadly written data breach mandates, then Warren-Warner bill appears to be solely focused on the cybersecurity and breach notification practices of credit reporting businesses. The industry is largely controlled by just three companies: Equifax, TransUnion and Experian.
If the Data Breach Prevention and Compensation Act were to pass, the FTC would be able to fine credit reporting agencies up to $100 for each consumer whose personal information is “compromised” by hackers. Responsible companies could also be fined another $50 for every additional piece of personal information that is stolen per individual. This includes any compromised material that mentions a consumers’ confidential financial history or social security number, among other documents.
Based on recent history, these types of fines could amount to billions of dollars worth of penalties. For example, under the same proposed model, Equifax would have been forced to pay roughly $1.5 billion to the federal government for last year’s historic breach. With that being said, the bill stipulates there is a cap on total fines for a single incident based on what the credit reporting company’s annual revenue was.
Money obtained through fines by the FTC would be equally split between the government and any affected consumers.
“In today’s information economy, data is an enormous asset,” Warner said in a statement to Recode. “But if companies like Equifax can’t properly safeguard the enormous amounts of highly sensitive data they are collecting and centralizing, then they shouldn’t be collecting it in the first place.”
You can read the full text of the Data Breach Prevention and Compensation Act below: