Dems propose fining credit agencies for data breaches

Dems propose fining credit agencies for data breaches
© Stefani Reynolds

Congressional Democrats on Tuesday reintroduced legislation which would impose fines on credit reporting agencies for compromising customer data, a response to the massive Equifax breach.

The Data Breach Prevention and Compensation Act, unveiled ahead of a Senate Banking Committee hearing on data privacy, would require credit reporting agencies to pay $100 for each consumer whose personal data is compromised in a breach.

The bill was offered by Sens. Elizabeth WarrenElizabeth Ann WarrenPoll: Sanders leads Biden by 9 points in Iowa Poll: Biden leads in Iowa ahead of caucuses The Memo: Impeachment dominates final Iowa sprint MORE (D-Mass.) and Mark WarnerMark Robert WarnerDemocrats worry Trump team will cherry-pick withheld documents during defense Commerce Department withdraws Huawei rule after Pentagon pushback: reports  Hillicon Valley — Presented by Philip Morris International — Bezos phone breach raises fears over Saudi hacking | Amazon seeks to halt Microsoft's work on 'war cloud' | Lawmakers unveil surveillance reform bill MORE (D-Va.) in the upper chamber, and House Oversight and Reform Committee Chairman Elijah CummingsElijah Eugene CummingsBaltimore unveils plaques for courthouse to be named after Elijah Cummings GOP leaders encourage retiring lawmakers to give up committee posts Pelosi taps Virginia Democrat for key post on economic panel MORE (D-Md.) and Rep. Raja Krishnamoorthi (D-Ill.) in the lower.

Warren's office estimated that if the bill was in place in 2017, credit reporting company Equifax would have been required to pay at least a $1.5 billion penalty.

ADVERTISEMENT

The bill, which did not see action in the last Congress, would establish an Office of Cybersecurity at the Federal Trade Commission (FTC) to conduct regular inspections of the cyber practices at credit reporting agencies. It would also enhance the FTC's enforcement capabilities against credit reporting agencies by giving the agency civil penalty authority under the Gramm-Leach-Bliley Act, a law that requires financial institutions to explain how they share and protect customer data.

The Democrats behind the bill also unveiled a new report which found that consumers have made over 52,000 complaints with the Consumer Financial Protection Bureau (CFPB) since the Equifax breach. The report found that the number of complaints filed against Equifax in the months after the breach nearly doubled from the amount reported in the same period prior to the incident.

The Equifax data breach resulted in hackers gaining access to the personal information of an estimated 143 million Americans, including Social Security numbers, passport numbers and birth dates.

Copies of the report were sent to both the both the FTC and the CFPB, with lawmakers asking both agencies to “hold Equifax accountable for the 2017 breach without delay.”

The lawmakers recommended that CFPB also "continue working with federal and state agencies to address critical cybersecurity issues in the credit reporting industry,” and that the CFPB should use “all tools at its disposal to get to the bottom of the causes of the breach and the depths of Equifax’s failures to protect consumer data and respond adequately to the risks facing consumers.”

“The American people have continued to use the CFPB’s complaint process to make their voices heard, and right now, the agency appears to be ignoring those voices,” the lawmakers wrote.

The CFPB did not respond to request for comment on the findings of the report.

The bill received support from a number of industry and agency officials.

Former FTC Chief Technologist Ashkan Soltani said making credit agencies liable for failing to secure consumer data is “a necessary step in ensuring our privacy rights."

Marc Rotenberg, the president and executive director of the Electronic Privacy Information Center, called the legislation “a concrete response to a serious problem facing American consumers.”

Warren discussed the bill during the Senate Banking Committee hearing on data collection and privacy, saying that “the only way credit reporting agencies are going to adequately invest in cybersecurity is if we make it too expensive to ignore.”

At the hearing, Warner harshly criticized the data collection techniques of companies such as Facebook, Twitter and Google, who he accused of "sucking personalized data out from each and every one of us and then marketing that to a whole series of entities.”

Both Republicans and Democrats on the committee argued for legislation to regulate consumer data collection by tech companies. The hearing also comes as lawmakers in both chambers work on drafting a federal data privacy law.

Senate Banking Committee Chairman Mike CrapoMichael (Mike) Dean CrapoSenators ask FDA to crack down on non-dairy milks, cheeses Drug price outrage threatens to be liability for GOP It's time for the Senate to advance cannabis banking reform MORE (R-Idaho) said the committee would “look to update and make improvements to federal laws within its jurisdiction” in regard to this issue.

The panel's ranking member, Sen. Sherrod BrownSherrod Campbell BrownSchiff sparks blowback with head on a 'pike' line Sunday shows - All eyes on Senate impeachment trial Senate Democrat: 'Fine' to hear from Hunter Biden MORE (D-Ohio), said regulating this issue is “critical to our democracy,” citing Facebook's Cambridge Analytica data scandal as an example of giving “bad actors ways to meddle in our elections.”

Maciej Ceglowski, the founder of social bookmarking website Pinboard, testified during the hearing, arguing in favor of regulating the collection of consumer data by companies such as Google, Facebook, Amazon and Microsoft to ensure consumer privacy and to “preserve our liberty.”

“The internet economy today resembles the earliest days of the nuclear industry,” Ceglowski said. “We have a technology of unprecedented potential, we have made glowing promises about how it will transform the daily lives of our fellow Americans, but we don’t know how to keep its dangerous byproducts safe.”