|You might favor this bill if:
► You believe that Credit Reporting Agencies (CRA) should be regulated by the newly created Office of Cybersecurity. The Equifax breach stole the information of 145 million americans; not only do events like these need to be prevented, but affected consumers should be compensated using penalty funds applied to the CRAs.
|You might oppose this bill if:
► You believe Credit Reporting Agencies should not be regulated by the federal government. These agencies have already been regulated by the Consumer FInancial Protection Bureau (CFPB) and the Federal Trade Commission (FTC).
The Data Breach Prevention and Compensation Act would create the Office of Cybersecurity within the FTC, which would be in charge regulating government agencies' management of data security. The bill would establish cybersecurity inspections, impose mandatory penalties, and compensate consumers for stolen data.
Sen. Warren aims to hold large credit reporting agencies (CRAs) - including Equifax - accountable for data breaches involving consumer data. The bill would give the Federal Trade Commission (FTC) more direct supervisory authority over data security at CRAs, impose mandatory penalties on CRAs to incentivize adequate protection of consumer data, and provide robust compensation to consumers for stolen data.
The bill would impose mandatory, strict liability penalties for breaches of consumer data beginning with a base penalty of $100 for each consumer who had one piece of personal identifying information compromised and another $50 for each additional piece of compromised information per consumer.
Under this legislation, Equifax, who in September 2017 announced that hackers had stolen sensitive personal information - including Social Security Numbers, birth dates, credit card numbers, driver's license numbers, and passport numbers - of over 145 million Americans, would have had to pay at least a $1.5 billion penalty for their failure to protect Americans' personal information.
To ensure robust recovery for affected consumers, the bill would also require the FTC to use 50% of its penalty to compensate consumers and would increase penalties in cases of woefully inadequate cybersecurity or if a CRA fails to timely notify the FTC of a breach. Under current law, it is difficult for consumers to get compensation when their personal data is stolen. Typical awards range from $1 to $2 per consumer. Using 50% of penalties would prevent this.
The Data Breach Prevention and Compensation Act is supported by cybersecurity experts and consumer groups:
A year after the public's knowledge of the Equifax's breach, the Government Accountability Office (GAO) reported how attackers exploited significant vulnerabilities at the company to gain access to the sensitive personal information of more than 145 million Americans.
According to the GAO, "Equifax determined that several major factors had facilitated the attackers' ability to successfully gain access to its network and extract information from databases containing [private consumer information]," and that "key factors that led to the breach were in the areas of identification, detection, segmentation, and data governance."
The GAO report also underscores the lack of action by the Trump Administration to address Equifax's failures. The report confirms that the Consumer Financial Protection Bureau (CFPB) and the Federal Trade Commission (FTC) are the key federal regulators responsible for oversight of Credit Ratings Agencies, and both agencies have acknowledged opening investigations after Equifax revealed the breach. But to date, neither investigation has resulted in any enforcement actions against Equifax.
Sponsored by: Sen. Warren, Elizabeth [D-MA].
Cosponsored by: 0 Rep / 3 Dem.