In response to the Equifax data breach last September, when hackers gained access to the personal information of 143 million consumers, Senators Elizabeth Warren (D-MA) and Mark Warner (D-VA) have introduced a bill, The Data Breach Prevention and Compensation Act of 2018, that would ultimately impose security obligations on credit reporting agencies (CRAs). The bill would expand the Federal Trade Commission (FTC)’s authority, establishing a new Director and Office of Cybersecurity with power to promulgate cybersecurity regulations and conduct cybersecurity investigations at CRAs that earn more than $7 million a year from the sale of consumer information. The Equifax breach prompted a flurry of legislation, but if passed, this bill would be the first to create data security standards for the credit reporting industry.
Both Warren and Warner have been active in attempting to rein in CRAs since the Equifax hack. Warner, a former tech executive who is vice chairman of the Senate Select Intelligence Committee, issued a statement in the wake of the Equifax breach in which he questioned “whether Congress should not only create a uniform data breach notification standard, but also whether Congress needs to rethink data protection policies.” Warner also wrote a letter to the FTC in September 2017, asking for an investigation into Equifax’s cybersecurity practices. Warren, who helped establish the Consumer Financial Protection Bureau, introduced (ultimately unsuccessful) legislation that would allow consumers to freeze their credit on demand and at no cost.
One of the most notable aspects of the bill is the power it gives to the FTC to impose massive fines for security breaches and reporting violations. CRAs would be subject to mandatory strict liability penalties for breaches involving consumer data. Violators would be required to pay $100 per consumer for data security breaches plus $50 for each piece of personal information compromised. This amount would be doubled and the maximum penalty increased to 75% of the CRA’s gross revenue for particularly egregious security lapses, failure to comply with the FTC’s data security standards, or failure to timely notify the agency of a breach. In addition, the bill requires the FTC to use 50% of each fine to compensate consumers.
The bill also contains stringent reporting requirements for CRAs, including a mandate to report breaches to the FTC within 10 days. CRAs would also be obligated to share detailed information concerning their security practices with the Commission, including their asset management, network management, and monitoring. A CRA must further create and maintain documentation demonstrating that it “is employing reasonable technical measures and corporate governance processes for continuous monitoring of data, intrusion detection, and continuous evaluation” of its security processes.
The FTC has initiated many enforcement actions for security failures under its existing authority, and multiple agencies, including the National Institute of Standards and Technology (NIST) have focused on developing risk management approaches to manage security. The bill itself appears to acknowledge the absence of any current generally recognized measures for evaluating, testing, and measuring the data security practices of CRAs, as it calls for a consultation on this point. The legislation appears unlikely to advance in the Senate.