A year after the Equifax hack compromised the personal information for over 145 million people, U.S. Democratic Senators Elizabeth Warren and Mark Warner introduced the Data Breach Prevention and Compensation Act last week. The new legislation would expand the Federal Trade Commission’s (FTC) authority over data breaches by creating an Office of Cybersecurity, which would be tasked with directly supervising data security at consumer credit reporting agencies, such as Equifax, Experian and TransUnion. While most cybersecurity legislation currently exists at the state level, the bill is significant in that it signals continued sector-specific interest in cybersecurity at the federal level.
Inspired by today’s information economy, where the personal information of millions of people is collected, centralized and used, the bill aims to create a stricter regime of regulating consumer data.
While the FTC would work to promulgate a number of regulations regarding cybersecurity, the cornerstone of the legislation is the call for “mandatory, strict liability penalties for breaches of consumer data” and robust compensation for those whose data was compromised. While fines would be capped based on the agency’s revenue, the base penalty would be $100 for each consumer with one piece of personally identifiable information (PII) compromised. An additional $50 would be fined for each additional piece of PII compromised per consumer. To put these numbers in context, under the current bill, Equifax would have had to pay a $1.5 billion fine for the hack it suffered. Moreover, the bill would require credit reporting agencies to notify the FTC of a breach within 10 days.
Focused on the consequences of not providing adequate security for consumer data, Sen. Warren has explained that the approach of the bill is not to have a host of regulators come in and tell credit reporting agencies how to do their job or design a cybersecurity program. Instead, the focus is to ensure that companies dealing with such enormous amounts of highly sensitive data are actually able to protect it.
Although the bill is narrowly tailored to credit reporting agencies, it signals a continued emphasis on cybersecurity at the federal level in an age when companies are gathering and maintaining more and more information about consumers. This news serves as a good reminder for other industries to stay vigilant and prepare as much as possible for cyberattacks.