If Another Equifax Breach Happens, Lawmakers Want to See Billions in Fines

Sen. Elizabeth Warren, D-Mass.

Sen. Elizabeth Warren, D-Mass. Carolyn Kaster/AP

Lawmakers want credit reporting agencies to pay potentially billions in fines if their data gets stolen and for victims of the breach get a big chunk of the money.

Introduced on Wednesday by Sens. Elizabeth Warren, D-Mass., and Mark Warner, D-Va., the Data Breach Prevention and Compensation Act would raise the security requirements for data stored at credit agencies and give the organizations more to lose when that information gets stolen. It’s the third piece of legislation aimed at tightening the leash on credit reporting agencies in the wake of the 2017 Equifax data breach.

“Equifax allowed personal data on more than half the adults in the country to get stolen, and its legal liability is so limited that it may end up making money off the breach,” Warren said in a statement. “This bill will ensure that companies like Equifax … are taking appropriate steps to secure data that’s central to Americans’ identity management and access to credit.”

In September 2017, hackers made off with the Social Security numbers, credit card information, birth dates and other sensitive data of more than 143 million Americans served by Equifax. The incident renewed calls on Capitol Hill for a national standard for reporting breaches and reinvigorated the debate over companies’ liability in such an event.

The Warren-Warner bill would create a new cybersecurity office at the Federal Trade Commission and task it with inspecting and supervising data protection at credit agencies. The legislation would force agencies to pay FTC an upfront fine of $100 for each consumer who had a single piece of personally identifiable information stolen in a breach, and another $50 for each additional stolen data point.

Under those conditions, Equifax would have been fined $14.3 billion if hackers had only stolen their customers’ names. Add in each customer’s Social Security number, address and birthdate, and the penalties shoot to more than $21 billion.

The bill also mandates FTC uses half the collected fines to compensate affected consumers and tacks on more penalties for agencies that lacked adequate cybersecurity or failed to report a breach.

The massive and mandatory penalties imposed by the bill would “put money back into people’s pockets” and incentivize credit reporting agencies to “stop these kinds of breaches from happening again,” Warren said.

In the immediate aftermath of the Equifax breach, Warren introduced the Freedom from Equifax Exploitation Act, which would increase fraud alert requirements and give consumers the power to freeze their credit upon request. In September, House lawmakers also introduced a bill that would require companies hit by data breaches to notify affected consumers within 30 days.

Republicans have yet to sign on to any of the three data breach bills.