Dems propose fining credit agencies for data breaches

Dems propose fining credit agencies for data breaches
© Stefani Reynolds

Congressional Democrats on Tuesday reintroduced legislation which would impose fines on credit reporting agencies for compromising customer data, a response to the massive Equifax breach.

The Data Breach Prevention and Compensation Act, unveiled ahead of a Senate Banking Committee hearing on data privacy, would require credit reporting agencies to pay $100 for each consumer whose personal data is compromised in a breach.

The bill was offered by Sens. Elizabeth WarrenElizabeth Ann WarrenGun control: Campaigning vs. legislating Booker defends middle-ground health care approach: 'We're going to fight to get there' Democrats spar over electoral appeal of 'Medicare for All' MORE (D-Mass.) and Mark WarnerMark Robert Warner2020 Democrats raise alarm about China's intellectual property theft State probes of Google, Facebook to test century-old antitrust laws Hillicon Valley: Trump fires Bolton as national security adviser | DOJ indicts hundreds over wire-transfer scam | CEOs push for federal privacy law | Lyft unveils new safety features after sexual assault allegations MORE (D-Va.) in the upper chamber, and House Oversight and Reform Committee Chairman Elijah CummingsElijah Eugene CummingsPence extends olive branch to Cummings after Trump's Baltimore attacks Infrastructure needed to treat addiction as chronic disease doesn't exist GOP retreat creates WiFi password blasting socialism MORE (D-Md.) and Rep. Raja Krishnamoorthi (D-Ill.) in the lower.

Warren's office estimated that if the bill was in place in 2017, credit reporting company Equifax would have been required to pay at least a $1.5 billion penalty.

ADVERTISEMENT

The bill, which did not see action in the last Congress, would establish an Office of Cybersecurity at the Federal Trade Commission (FTC) to conduct regular inspections of the cyber practices at credit reporting agencies. It would also enhance the FTC's enforcement capabilities against credit reporting agencies by giving the agency civil penalty authority under the Gramm-Leach-Bliley Act, a law that requires financial institutions to explain how they share and protect customer data.

The Democrats behind the bill also unveiled a new report which found that consumers have made over 52,000 complaints with the Consumer Financial Protection Bureau (CFPB) since the Equifax breach. The report found that the number of complaints filed against Equifax in the months after the breach nearly doubled from the amount reported in the same period prior to the incident.

The Equifax data breach resulted in hackers gaining access to the personal information of an estimated 143 million Americans, including Social Security numbers, passport numbers and birth dates.

Copies of the report were sent to both the both the FTC and the CFPB, with lawmakers asking both agencies to “hold Equifax accountable for the 2017 breach without delay.”

The lawmakers recommended that CFPB also "continue working with federal and state agencies to address critical cybersecurity issues in the credit reporting industry,” and that the CFPB should use “all tools at its disposal to get to the bottom of the causes of the breach and the depths of Equifax’s failures to protect consumer data and respond adequately to the risks facing consumers.”

“The American people have continued to use the CFPB’s complaint process to make their voices heard, and right now, the agency appears to be ignoring those voices,” the lawmakers wrote.

The CFPB did not respond to request for comment on the findings of the report.

The bill received support from a number of industry and agency officials.

Former FTC Chief Technologist Ashkan Soltani said making credit agencies liable for failing to secure consumer data is “a necessary step in ensuring our privacy rights."

Marc Rotenberg, the president and executive director of the Electronic Privacy Information Center, called the legislation “a concrete response to a serious problem facing American consumers.”

Warren discussed the bill during the Senate Banking Committee hearing on data collection and privacy, saying that “the only way credit reporting agencies are going to adequately invest in cybersecurity is if we make it too expensive to ignore.”

At the hearing, Warner harshly criticized the data collection techniques of companies such as Facebook, Twitter and Google, who he accused of "sucking personalized data out from each and every one of us and then marketing that to a whole series of entities.”

Both Republicans and Democrats on the committee argued for legislation to regulate consumer data collection by tech companies. The hearing also comes as lawmakers in both chambers work on drafting a federal data privacy law.

Senate Banking Committee Chairman Mike CrapoMichael (Mike) Dean Crapo2020 Democrats raise alarm about China's intellectual property theft Trump faces tough path to Fannie Mae, Freddie Mac overhaul A US-UK free trade agreement can hold the Kremlin to account MORE (R-Idaho) said the committee would “look to update and make improvements to federal laws within its jurisdiction” in regard to this issue.

The panel's ranking member, Sen. Sherrod BrownSherrod Campbell BrownHillicon Valley: Google to promote original reporting | Senators demand answers from Amazon on worker treatment | Lawmakers weigh response to ransomware attacks Senate Democrats want answers on 'dangerous' Amazon delivery system Hillicon Valley: Uber vows to defy California labor bill | Facebook, Google, Twitter to testify on mass shootings | Facebook's Libra to pursue Swiss payments license MORE (D-Ohio), said regulating this issue is “critical to our democracy,” citing Facebook's Cambridge Analytica data scandal as an example of giving “bad actors ways to meddle in our elections.”

Maciej Ceglowski, the founder of social bookmarking website Pinboard, testified during the hearing, arguing in favor of regulating the collection of consumer data by companies such as Google, Facebook, Amazon and Microsoft to ensure consumer privacy and to “preserve our liberty.”

“The internet economy today resembles the earliest days of the nuclear industry,” Ceglowski said. “We have a technology of unprecedented potential, we have made glowing promises about how it will transform the daily lives of our fellow Americans, but we don’t know how to keep its dangerous byproducts safe.”