Warren, Warner propose 'massive' fines for breaches at credit bureaus
WASHINGTON — Sens. Elizabeth Warren, D-Mass., and Mark Warner, D-Va., are set Wednesday to introduce a bill that would create mandatory penalties for data breaches at credit reporting agencies.
“Our bill imposes massive and mandatory penalties for data breaches at companies like Equifax — and provides robust compensation for affected consumers — which will put money back into people's pockets and help stop these kinds of breaches from happening again,” Warren said in a press release.
The Data Breach Prevention and Compensation Act would set mandatory fines at $100 for each consumer who has a piece of personally identifiable information compromised and another $50 for each additional piece of personal identifiable data. The penalties would be capped at 50% of the credit reporting agencies’ gross revenue from the prior year — except in cases of extreme negligence, in which case the fine would go up to 75% of the companies' prior year gross annual revenue.
The bill comes in response to a data breach at Equifax, which revealed in September that a hack had exposed personally identifiable information such as Social Security numbers, birth dates, driver’s license numbers and credit card numbers of 145 million consumers.
The lawmakers said that consumers typically get $1 or $2 in restitution if their personal data is stolen.
“The financial incentives here are all out of whack," Warren said. "Equifax allowed personal data on more than half the adults in the country to get stolen, and its legal liability is so limited that it may end up making money off the breach.”
The bill would also create an Office of Cybersecurity at the Federal Trade Commission, which would conduct cybersecurity inspections at the credit reporting agencies. It would also give the FTC the authority to write new regulations establishing data security standards.
Warner, who is the vice chairman of the Senate Select Intelligence Committee, said if credit reporting agencies can’t protect consumer data, they shouldn’t collect it.
“This bill will ensure that companies like Equifax — which gather vast amounts of information on American consumers, often without their knowledge — are taking appropriate steps to secure data that’s central to Americans’ identity management and access to credit,” he said.