Equifax may be facing various legal, regulatory, and financial consequences for the data breach that exposed the personal information of 145.5 million U.S. consumers, but two top Senate Democrats want there to be much stiffer penalties should any credit reporting agency, Equifax included, fail to protect consumer data again.
On Wednesday, Sens. Mark Warner, D-Virginia, and Elizabeth Warren, D-Mass., introduced a bill that would increase oversight of credit reporting agencies and allow the government to impose financial penalties on the agencies for failing to secure consumer data.
In the wake of its data breach, Equifax is facing inquiries from the Consumer Financial Protection Bureau, the Federal Trade Commission, the House Financial Services Committee, the Senate Finance Committee, the office of New York Attorney General Eric Schneiderman, the New York Department of Financial Services, lawsuits from the state of Massachusetts, the cities of San Francisco and Chicago, and inquiries from all 50 state attorneys general.
But under the terms of Warner and Warren’s bill, Equifax would have been subjected to a fine of at least $1.5 billion for the company’s failure to protect consumers’ personal information.
The bill, the Data Breach Prevention and Compensation Act, would establish an Office of Cybersecurity within the Federal Trade Commission that would be tasked with annual inspections and supervision of cybersecurity at the credit reporting agencies.
The bill would also impose mandatory liability penalties for breaches of consumer data beginning with a base penalty of $100 for each consumer who had one piece of personal identifying information compromised and another $50 for each additional PII compromised per consumer.
Considering how many people’s data was compromised in the Equifax data breach, the company would have been fined at least $1.5 billion under these rules.
But not all of the money would go straight to the government. In fact, half of the penalty amount would go to the affected consumers to compensate them for the impact of the breach.
According to Warren’s office, the bill would require the FTC to use 50% of the penalty to compensate consumers. The bill would also increase the penalties in cases of “woefully inadequate cybersecurity or if a CRA fails to timely notify the FTC of a breach.”
According to Warren’s office, the bill caps the penalty at a maximum of 50% of the credit reporting agency’s gross revenue from the prior year.
“In today’s information economy, data is an enormous asset. But if companies like Equifax can't properly safeguard the enormous amounts of highly sensitive data they are collecting and centralizing, then they shouldn't be collecting it in the first place,” Warner said in a statement. “This bill will ensure that companies like Equifax – which gather vast amounts of information on American consumers, often without their knowledge – are taking appropriate steps to secure data that's central to Americans’ identity management and access to credit.”
Warren, in her statement, suggested that Equifax may be actually be able to make money off of the breach, but said that the bill would put an end to situations like that.
“The financial incentives here are all out of whack – Equifax allowed personal data on more than half the adults in the country to get stolen, and its legal liability is so limited that it may end up making money off the breach,” Warren said. “Our bill imposes massive and mandatory penalties for data breaches at companies like Equifax – and provides robust compensation for affected consumers – which will put money back into peoples’ pockets and help stop these kinds of breaches from happening again.”