A bill introduced by Senate Democrats on Wednesday would establish new cybersecurity regulations for credit reporting agencies and impose strict fines for those whose security is found wanting. It would also create a new cybersecurity office within the Federal Trade Commission (FTC) tasked with ensuring that consumers are notified when their personal data is compromised—specifically by Equifax-like companies.
The Data Breach Prevention and Compensation Act, introduced by Senators Elizabeth Warren and Mark Warner, aims to “incentivize” the security around sensitive consumer data by, among other measures, imposing mandatory fines on credit reporting agencies (CRA) with flawed security. It would further require annual inspections by the FTC, whose officials would be tasked with evaluating data-security measures employed by the CRAs.
And the fines are nothing to scoff at.
In a case like Equifax, the company responsible for the breach would pay up to $100 for each consumer whose privacy was violated—though the fine is capped at 50 percent of the company’s gross revenue for the previous fiscal year. (For perspective, without the cap, Equifax would’ve been slapped with a $14 billion fine.) The fine is double if the company fails to report the breach, and in those cases, the cap is increased to 75 percent of gross revenue.
“The financial incentives here are all out of whack,” Senator Warren said. “Equifax allowed personal data on more than half the adults in the country to get stolen, and its legal liability is so limited that it may end up making money off the breach.” The bill, she said, “imposes massive and mandatory penalties for data breaches at companies like Equifax—and provides robust compensation for affected consumers—which will put money back into people’s’ pockets and help stop these kinds of breaches from happening again.”
When fines are paid, half of the money would be paid to the consumers affected, while the other half would go to the FTC to fund inspections and cybersecurity research.
The Warren-Warner bill would establish at the FTC an “Office of Cybersecurity” tasked with supervising specifically the CRAs. Equifax, for example, would be required to provide the FTC with information about its “technical and organizational security measures,” including but not limited to inventories and configurations of authorized devices and software, as well any measures deployed to detect and remediate vulnerabilities throughout the company’s network.
Notably, the list of required security measures includes the encryption of data, both stored and in transit. The bill further requires mandatory inspections if the FTC has “reason to suspect” noncompliance, and any findings would be turned over to Congress. The FTC is also ordered to sue any CRA that fails to fall in line.
The Warren-Warner bill would cover any data breach that involves the following types of data:
- A Social Security number
- A driver’s license number
- A passport number
- An alien registration number or other government ID
- Biometric data: broadly defined to include voice, face, iris, and fingerprint, but also “other unique physical representations” (gait, perhaps?)
- First and last name if combined with health information
- Credit/debit card information, passwords to access financial information, and “such additional information, as determined by the Director.”
“In today’s information economy, data is an enormous asset. But if companies like Equifax can’t properly safeguard the enormous amounts of highly sensitive data they are collecting and centralizing, then they shouldn’t be collecting it in the first place,” Senator Warner said. “This bill will ensure that companies like Equifax—which gather vast amounts of information on American consumers, often without their knowledge—are taking appropriate steps to secure data that’s central to Americans’ identity management and access to credit.”
Adriel Desautels, CEO of the penetration-testing firm Netragard, said the bill appears to establish a “strong set of consumer protections,” though he questioned who would ultimately determine the number of records involved in any breach. “Since the penalty is based on the number of records accessed,” he said, “it is important to establish a clear process for counting the accessed records. It is also important that the count is not determined by the breached party alone.”
For the purpose of calculating fines, Gizmodo learned, the number of victims would be determined by the district court judge who hears the case after the FTC files a suit. One the one hand, judges aren’t particularly known for being technically savvy; but on the other, lying to a judge would likely result in criminal charges. So there’s that.
Below is the full text the Data Breach Prevention and Compensation Act, as introduced.