Equifax Inc. and other large credit reporting agencies would face mandatory penalties for consumer data breaches under a bicameral Democratic bill.
The agencies could face fines of $100 for each person who had one piece of personal information compromised, and an additional $50 for each additional piece of information compromised, under the legislation by Democratic presidential contender Elizabeth Warren (D-Mass.), Sen. Mark Warner (D-Va.), and Reps. Elijah Cummings (D-Md.) and Raja Krishnamoorthi (D-Ill.).
The bill comes as lawmakers increasingly are focused on data privacy issues. Equifax would have had to pay at least $1.5 billion in penalties for its 2017 data breach if the legislation had been law then, the lawmakers said in a statement. The breach, revealed in September 2017, exposed the personal information of more than 143 million people.
“Our bill would hold companies like Equifax accountable for failing to protect consumer data, compensate consumers injured by these breaches, and help ensure that these breaches never happen again,” Warren said in a May 7 statement.
The measure would give the Federal Trade Commission more authority over credit reporting agencies’ data security by creating a cybersecurity office within the agency to assess covered entities’ data security measures on an annual basis. The FTC also could issue new regulations on effective data security standards for covered credit reporting agencies under the bill.
“The FTC has been asleep at the switch on the question of Equifax and their loss of 150 million Americans’ most personal data, it’s almost two years after the fact, they’ve paid no penalty,” Warner told reporters after a May 7 Senate Banking, Housing and Urban Affairs Committee hearing on privacy issues. “So in effect, Equifax can say that’s just the cost of doing business and that is a huge downside,”
Warren introduced similar legislation in 2018, but it didn’t advance in the last Congress.
It’s not yet clear if the bill will get Republican support. Sen. Mike Crapo (R-Idaho) said he wouldn’t endorse a specific piece of legislation at the moment.
“The notion that we need to go further in this area, and that the enforcement portion of our law may need to be beefed up, I do think is probably correct,” Crapo, chairman of the Senate banking committee, told reporters after the hearing.
— With assistance from Rebecca Kern
To read more from Privacy & Data Security Law News pleaseOR Request Trial