Rep. Katie Porter (D-Calif.) is preparing to take on the largest credit reporting bureaus with a data security proposal that would give consumers the right to sue after data breaches.
The Federal Trade Commission’s record-setting $700 million data breach settlement with Equifax Inc. last month was criticized by consumer advocates and lawmakers who felt the agency didn’t do enough to punish the company or remediate consumer harms. The 2017 hack exposed the data of 140 million people.
“The Equifax settlement, though historic in size, did not make consumers whole,” Porter said in an emailed statement to Bloomberg Law. “That’s in part because federal data protection and privacy laws were written decades ago, before a massive shift toward storing data on servers and the cloud and a relatively recent spike in the value of consumer data,” she said.
Porter’s bill would amend the Fair Credit Reporting Act (FCRA) to include a reasonable data security standard for credit reporting agencies Equifax, Experian Plc and TransUnion, as well as other entities subject to the law. Establishing that requirement would give consumers the ability to sue using the FCRA’s existing private right of action, according to Porter, a former bankruptcy law professor who sits on the House Financial Services Committee.
While FCRA already allows consumers to sue if their data is “furnished” or transmitted to unauthorized third parties, that right doesn’t apply to data breaches, a federal district judge in Georgia ruled in January. The law allows consumers to seek $100 to $1,000 in damages, plus attorney fees and court-ordered damages, for each violation.
The judge in the class action rebuffed consumers’ claim that Equifax violated FCRA by passively furnishing data to hackers. “The data at issue was stolen by cyberhackers and not furnished to them,” Judge Thomas Thrash, Jr. wrote in his opinion.
Lawmakers have been pressured by various industries and consumer groups to hold companies accountable after major data breaches and privacy incidents.
Lawmakers on the House Energy and Commerce Committee and Senate Commerce Committee have continued to talk about a wider privacy bill targeting tech giants like Facebook Inc. and Alphabet Inc.'s Google. But progress has been slow and the legislation would likely have to go through other committees including the House and Senate Judiciary panels.
That’s led lawmakers on other committees to tackle data privacy issues specific to their jurisdictions. House Financial Services Committee Democrats are among the first to take action.
Porter’s bill, which could be introduced as early as September, would fall under the purview of the Financial Services Committee and avoid the jurisdictional hurdles that have been an impediment to broader privacy legislation.
The draft bill could see some GOP pushback over expanding FCRA’s private right of action. Republican lawmakers working on privacy legislation in the House and Senate broadly oppose a consumer’s right to sue directly for privacy harms, though a narrowly-written bill primarily targeting the credit bureaus may be able to gain bipartisan support.
The bill also wouldn’t prescribe specific cybersecurity standards, an action that often draws industry opposition. That would mean the hundreds of much smaller credit reporting agencies—many of which specialize in collecting specific types of consumer information like payday loans, bank accounts, or utilities—wouldn’t be held to the same data security standards as the three giant CRAs.
“What’s ‘reasonable’ as applied to a major corporation may not be reasonable to impose on a small business,” Porter said in her email.
“As the Equifax settlement showed, courts are more than willing to make those determinations themselves,” she added.
Porter’s bill will need support from committee Chairwoman Maxine Waters (D-Calif.) as well as Republican buy-in, particularly in the Senate, if it stands a chance of enactment.
That may not be such a high hurdle given the rebukes the credit reporting agencies have received on both sides of the aisle.
Waters has been a vocal critic of the industry, spearheading legislation (H.R. 3642) to make it easier for consumers to eliminate unfavorable data from their credit reports, and criticizing the bureaus for treating consumers like “commodities.”
Senate Banking Committee Chairman Michael Crapo (R-Idaho) has repeatedly called for better consumer data protections and House Republicans have said that the big three credit reporting bureaus have too much power.
“There is no better example than the oligopoly that was created than the three that are sitting before us here today,” Financial Services ranking member Rep. Patrick McHenry (R-N.C.) said at a February hearing with the top executives of Equifax, Experian, and TransUnion.