Two senators are proposing a bill that would give the Federal Trade Commission (FTC) the power to levy heavy fines against credit reporting agencies that breach consumers’ personal information.
Senators get tougher on data breaches
Senator Elizabeth Warren (D-MA)
Senators Elizabeth Warren (D-MA) and Mark Warner (D-VA) introduced the Data Breach Prevention and Compensation Act of 2018 on January 10, 2018. It is a direct response to last year’s Equifax breach, in which 145.5 million people’s data was exposed after criminal hackers exploited a weakness in the organization’s software.
“The financial incentives here are all out of whack,” Warren said in a statement. “Equifax allowed personal data on more than half the adults in the country to get stolen, and its legal liability is so limited that it may end up making money off the breach.”
What does the bill propose?
If passed into law, the bill would give the FTC the authority to fine breached agencies $100 per affected consumer, with an extra $50 for each additional piece of data put at risk. The fines would be capped at 50% of the organization’s gross revenue.
The penalty doubles if the organization fails to disclose the breach to regulators promptly or has insufficient cybersecurity measures in place. Half of the money would be redistributed to the affected consumers.
The bill also calls for the FTC to establish a new cybersecurity office that would monitor credit reporting agencies’ cybersecurity practices.
Warren, who has gained an unexpected cult following, has been less popular in the Senate. Last year, she twice tried to pass reforms in the wake of the Equifax hack, but neither bill made it out of committee. The proposals are thought to have failed because they were too broadly prescriptive, but this latest attempt is more akin to the Health Insurance Portability and Accountability Act (HIPAA), creating sector-specific standards.
However, Francis Creighton, the president and CEO of the Consumer Data Industry Association, which represents Equifax, Experian, and TransUnion, believes this bill has the same flaws. “The agencies already comply with the same rigorous data protection standards as banks,” he told CNET.
“We do not believe the Warren/Warner bill provides a balanced solution to an increasingly complex problem that affects every part of the economy – including the federal government.”
Will it be passed into law?
This bill will have a hard time passing through a Republic-controlled Senate in its current form, but the traction it has gained so far evidences a bipartisan acknowledgement that cybersecurity needs to be addressed by government. Cybersecurity became a major talking point among governors last year, and it’s only a matter of time before significant reforms are passed.
In the meantime, all eyes will be on the New York Department of Financial Services, as all covered entities are required to certify to the state’s Cybersecurity Requirements by February 15, 2018. Depending on the success of this Regulation, other states might implement similar requirements.
e-End operates a secure facility in Frederick, MD, specializes in destroying a wide variety of classified data and various controlled devices. This includes destruction of data containing hard drives, destruction of ITAR controlled devices, IT equipment and tactical military devices. They routinely destroy body armor that has reached the end of its certified period of use.