Already a member? Please login to vote on this bill.

New to Civic Action Network?
Sign up for free
, vote on this bill and we'll call Congress on your behalf.

S.2289 - Data Breach Prevention and Compensation Act of 2018

Senator ELizabeth Warren speaking at an event

To create an Office of Cybersecurity at the Federal Trade Commission for supervision of data security at consumer reporting agencies, to require the promulgation of regulations establishing standards for effective cybersecurity at consumer reporting agencies, to impose penalties on credit reporting agencies for cybersecurity breaches that put sensitive consumer data at risk, and for other purposes.

You might favor this bill if:
►  You believe that Credit Reporting Agencies (CRA) should be regulated by the newly created Office of Cybersecurity. The Equifax breach stole the information of 145 million americans; not only do events like these need to be prevented, but affected consumers should be compensated using penalty funds applied to the CRAs.

You might oppose this bill if:
►  You believe Credit Reporting Agencies should not be regulated by the federal government. These agencies have already been regulated by the Consumer FInancial Protection Bureau (CFPB) and the Federal Trade Commission (FTC).

The Data Breach Prevention and Compensation Act would create the Office of Cybersecurity within the FTC, which would be in charge regulating government agencies' management of data security. The bill would establish cybersecurity inspections, impose mandatory penalties, and compensate consumers for stolen data.

Sen. Warren aims to hold large credit reporting agencies (CRAs) - including Equifax - accountable for data breaches involving consumer data. The bill would give the Federal Trade Commission (FTC) more direct supervisory authority over data security at CRAs, impose mandatory penalties on CRAs to incentivize adequate protection of consumer data, and provide robust compensation to consumers for stolen data.

The bill would impose mandatory, strict liability penalties for breaches of consumer data beginning with a base penalty of $100 for each consumer who had one piece of personal identifying information compromised and another $50 for each additional piece of compromised information per consumer.

Under this legislation, Equifax, who in September 2017 announced that hackers had stolen sensitive personal information - including Social Security Numbers, birth dates, credit card numbers, driver's license numbers, and passport numbers - of over 145 million Americans, would have had to pay at least a $1.5 billion penalty for their failure to protect Americans' personal information.

To ensure robust recovery for affected consumers, the bill would also require the FTC to use 50% of its penalty to compensate consumers and would increase penalties in cases of woefully inadequate cybersecurity or if a CRA fails to timely notify the FTC of a breach. Under current law, it is difficult for consumers to get compensation when their personal data is stolen. Typical awards range from $1 to $2 per consumer. Using 50% of penalties would prevent this.

The financial incentives here are all out of whack - Equifax allowed personal data on more than half the adults in the country to get stolen, and its legal liability is so limited that it may end up making money off the breach," said Senator Warren. "Our bill imposes massive and mandatory penalties for data breaches at companies like Equifax - and provides robust compensation for affected consumers - which will put money back into peoples' pockets and help stop these kinds of breaches from happening again."

The Data Breach Prevention and Compensation Act is supported by cybersecurity experts and consumer groups:

"This bill creates greater incentive for these companies to handle our data with care and gives the Federal Trade Commission the tools that it needs to hold them accountable," said Director of Consumer Protection and Privacy at Consumer Federation of America, Susan Grant.

"U.S. Public Interest Research Group commends Senators Warren and Warner for the Data Breach Prevention and Compensation Act. It will ensure that credit bureaus protect your information as if you actually mattered to them and it will both punish them and compensate you when they fail to do so," said U.S. PIRG Consumer Program Director, Ed Mierzwinski.

"The ongoing risk of data breach and identity theft have reached epidemic proportions. We clearly need more expertise in the federal government to address this challenge," said Electronic Privacy Information Center President, Marc Rotenberg.

A year after the public's knowledge of the Equifax's breach, the Government Accountability Office (GAO) reported how attackers exploited significant vulnerabilities at the company to gain access to the sensitive personal information of more than 145 million Americans.

According to the GAO, "Equifax determined that several major factors had facilitated the attackers' ability to successfully gain access to its network and extract information from databases containing [private consumer information]," and that "key factors that led to the breach were in the areas of identification, detection, segmentation, and data governance."

"This new GAO report describes in painful detail how Equifax failed to protect the personal information of over 145 million Americans," said Senator Warren."One year after they publicly revealed the massive 2017 breach, Equifax and other big credit reporting agencies keep profiting off a business model that rewards their failure to protect personal information - and the Trump Administration and Republican-controlled Congress have done nothing. We must pass my Data Breach Prevention and Compensation Act to stop these kinds of breaches from happening again."

The GAO report also underscores the lack of action by the Trump Administration to address Equifax's failures. The report confirms that the Consumer Financial Protection Bureau (CFPB) and the Federal Trade Commission (FTC) are the key federal regulators responsible for oversight of Credit Ratings Agencies, and both agencies have acknowledged opening investigations after Equifax revealed the breach. But to date, neither investigation has resulted in any enforcement actions against Equifax.


Sponsored by: Sen. Warren, Elizabeth [D-MA].

Cosponsored by: 0 Rep / 3 Dem.

See list of cosponsors.

Have us contact your elected officials by voting your stance below:

Browse trending bills