On Wednesday, Senators Elizabeth Warren (D-Mass.) and Mark Warner (D-Virg.) unveiled a new bill designed to hold credit reporting agencies, companies that help determine consumers’ creditworthiness by selling data to lenders, to a high standard of security and timely disclosure.
The bill is squarely aimed at the massive data breach credit reporting agency Equifax (EFX) announced in September, which exposed sensitive personal information of over 145 million customers — including Social Security numbers. Despite the egregious security lapse, the company might go about unscathed. (Former executives were under scrutiny for selling shares before the breach was announced for a time, but later were cleared by Equifax.)
The comeuppance for Equifax may only be investor pressure and class-action suits serving as a stick to ward off corporate negligence, unless Equifax quashes class-actions due to forced-arbitration clauses that many consumers have unwittingly agreed to, something the CEO admitted.
Strong, mandatory penalties for negligence
The senators’ new bill, The Data Breach Prevention and Compensation Act, would enact very sharp, mandated penalties against credit reporting agencies (the three main ones are Equifax, Experian and TransUnion) when there is a security breach. The penalties proposed in the bill would be $100 per person who has a piece of personal information compromised, and $50 for each additional piece. For Equifax, that would come to $14.5 billion for the Social Security numbers alone. The affected consumers would be entitled to 50% of the penalty as compensation.
The fines, however, would be capped at 50% of the trailing year’s gross revenue. Given that Equifax only took in about $3 billion in revenue in 2016, $1.5 billion would have been the maximum penalty. But should the company be found having inadequate data safeguards, the bill would double fines, and cap them at 75% of revenue.
Both the fines and the remuneration for consumers would mean an exponential increase in money returned to wronged consumers, who must vigilantly check their credit reports for false activity after this compromise of Social Security numbers, which are typically used for security by banks and other financial institutions and on applications for new accounts and credit cards.
Today, most class-action suits return only a few dollars per consumer, the senators noted in a statement to Yahoo Finance, making it potentially a sharp difference.
A new regulatory body at the FTC
To oversee this, Warren and Warner’s bill proposes that the FTC establish an Office of Cybersecurity to perform annual inspections and supervise cybersecurity. Currently, the FTC does not have authority to oversee this industry, and the government has been slow to enact regulations and write laws to deal with the rapidly-changing and critical issues in cybersecurity, data storage, and privacy.