New Bill to Give Government Power to Penalize Companies Who Suffer Data Breach

In efforts to motivate entities to protect their stores of sensitive consumer data, lawmakers want to penalize organizations who suffer major cyber-attacks.  The proposed bill would grant the Federal Trade Commission clearer authority to fine credit-reporting agencies.  The fines incurred by the companies would be paid to the millions of Americans affected by the breach.

Equifax could face a massive fine for another security breach — if two top Senate Democrats get their way

Redcode| By Tony Romm| January 10, 2018

Two top Senate Democrats are seeking broad new powers for the U.S. government to slap Equifax and its peers with massive fines if they suffer major cyber attacks — money that would then be returned to the millions of Americans affected by such a breach.

The idea is the centerpiece of the so-called Data Breach Prevention and Compensation Act, a bill to be introduced on Wednesday by Democratic Sens. Elizabeth Warren and Mark Warner. Cyber attacks may be inevitable, but the lawmakers feel that the federal government for too long has lacked the power to penalize entities that fail to protect their stores of sensitive consumer data.

Specifically, the bill would grant the Federal Trade Commission — an arm of the government that oversees companies’ security practices — clearer authority to fine credit-reporting agencies. That category includes TransUnion, Experian and Equifax, the latter of which was subject to a breach last year compromising the names, Social Security numbers and other sensitive information of more than 145 million Americans.

If the Democrats’ measure had been law at the time of the incident, Equifax would have been forced to fork over $1.5 billion to the feds, the lawmakers estimate. That’s because their measure would allow the FTC to fine credit-reporting agencies $100 for each consumer whose personal information was stolen by a hacker — and an another $50 for each additional piece of personal information compromised per individual. Total fines would be capped based on a credit-reporting agency’s revenue, but could increase further if the likes of Equifax failed to follow basic cybersecurity practices.

The bill by Warren and Warner would further ensure that half of the money paid to the U.S. government would ultimately be returned to affected consumers. Meanwhile, the Democratic duo would empower the FTC to probe and regulate the data security practices of credit-reporting agencies.

“Our bill imposes massive and mandatory penalties for data breaches at companies like Equifax — and provides robust compensation for affected consumers — which will put money back into peoples’ pockets and help stop these kinds of breaches from happening again,” Warren said in a statement.

For Warren and Warner, their proposal originates out of a broader frustration about the power and reach of credit-reporting agencies. These entities aren’t widely known, but they amass virtual warehouses of information about all Americans. The credit scores they compute affect consumers’ ability to purchase cars, rent apartments, obtain loans and more — but the watchdog FTC is limited in its oversight of the industry.

Yet even these powerful Democrats still face a daunting challenge in advancing their legislation to a vote on the Senate floor.

Lawmakers convened months of hearings in the aftermath of the Equifax breach, repeatedly grilling its top executives for their misdeeds. Disgust and outrage transcended party lines, leading Democrats and Republicans to expand their inquiries to include other major breaches, including a 2013 incident at Yahoo that affected three billion users.

Somehow, though, their intense, widespread criticism failed to translate into any new, meaningful movement on a slew of bills that might have addressed the problem. Congress couldn’t even advance basic legislation that aimed to refund consumers who had to purchase credit freezes from the very credit-reporting agencies, like Equifax, that had been hacked. Warren, in fact, had been a key driver of that idea.

Nor was it the first time that lawmakers failed to translate their outage into action: Similar breaches affecting Sony, Home Depot, Target and scores of other major companies in recent years have failed to convince Congress to adopt new federal rules governing how and when companies inform customers of a data breach. Many states have their own rules, which one major company — Uber — may have flouted in its handling of a 2016 security incident.

For now, though, Senate Democrats stressed that their new bill is necessary to fix the “out of whack” economics of cybersecurity, as Warren explained — the reality that there’s currently very little the FTC can do, even in the wake of a cyber attack that affected 40 percent of the U.S.

“In today’s information economy, data is an enormous asset,” added Warner in a statement. “But if companies like Equifax can’t properly safeguard the enormous amounts of highly sensitive data they are collecting and centralizing, then they shouldn’t be collecting it in the first place.”