Bill Seeks FTC Office of
January 11, 2018
U.S. Sens. Mark R. Warner (D-VA) and Elizabeth Warren (D-MA)
introduced the Data Breach Prevention and Compensation Act to
hold large credit reporting agencies (CRAs)—including
Equifax—accountable for data breaches involving consumer data.
The bill would give the Federal Trade Commission (FTC) more
direct supervisory authority over data security at CRAs, impose
mandatory penalties on CRAs to incentivize adequate protection
of consumer data, and provide robust compensation to consumers
for stolen data.
In September 2017, Equifax announced that hackers had stolen
sensitive personal information – including Social Security
Numbers, birth dates, credit card numbers, driver’s license
numbers, and passport numbers – of over 145 million Americans.
The attack highlighted that CRAs hold vast amounts of data on
millions of Americans but lack adequate safeguards against
hackers. Since 2013, Equifax has disclosed at least four
separate hacks in which sensitive personal data was compromised.
“In today’s information economy, data is an enormous asset. But
if companies like Equifax can’t properly safeguard the enormous
amounts of highly sensitive data they are collecting and
centralizing, then they shouldn’t be collecting it in the first
place,” said Sen. Warner. “This bill will ensure that companies
like Equifax – which gather vast amounts of information on
American consumers, often without their knowledge – are taking
appropriate steps to secure data that’s central to Americans’
identity management and access to credit.”
“The financial incentives here are all out of whack – Equifax
allowed personal data on more than half the adults in the
country to get stolen, and its legal liability is so limited
that it may end up making money off the breach,” said Sen.
Warren. “Our bill imposes massive and mandatory penalties for
data breaches at companies like Equifax – and provides robust
compensation for affected consumers – which will put money back
into peoples’ pockets and help stop these kinds of breaches from
The Data Breach Prevention and Compensation Act would establish
an Office of Cybersecurity at the FTC tasked with annual
inspections and supervision of cybersecurity at CRAs. It would
impose mandatory, strict liability penalties for breaches of
consumer data beginning with a base penalty of $100 for each
consumer who had one piece of personal identifying information (PII)
compromised and another $50 for each additional PII compromised
per consumer. To ensure robust recovery for affected consumers,
the bill would also require the FTC to use 50% of its penalty to
compensate consumers and would increase penalties in cases of
woefully inadequate cybersecurity or if a CRA fails to timely
notify the FTC of a breach.
The Data Breach Prevention and Compensation Act is supported by
cybersecurity experts and consumer groups:
“U.S. PIRG commends Senators Warren and Warner for the Data
Breach Prevention and Compensation Act. It will ensure that
credit bureaus protect your information as if you actually
mattered to them and it will both punish them and compensate you
when they fail to do so,” said U.S. PIRG Consumer Program
Director, Ed Mierzwinski.
"This bill establishes much-needed protections for data security
for the credit bureaus. It also imposes real and meaningful
penalties when credit bureaus, entrusted with our most sensitive
financial information, break that trust," said National Consumer
Law Center staff attorney, Chi Chi Wu.
"Senator Warner and Senator Warren have proposed a concrete
response to a serious problem facing American consumers,” said
Electronic Privacy Information Center President, Marc Rotenberg.
"This bill creates greater incentive for these companies to
handle our data with care and gives the Federal Trade Commission
the tools that it needs to hold them accountable,” said Director
of Consumer Protection and Privacy at Consumer Federation of
America, Susan Grant.
Sen. Warner has been a
leader in calling for better consumer protections from
data theft. Following the Equifax
Sen. Warner asked the
Federal Trade Commission (FTC) to examine whether credit
reporting agencies such as Equifax have adequate
cybersecurity safeguards in place for “the enormous
amounts of sensitive data they gather and
commercialize.” He slammed the
credit bureau for its cybersecurity failures and weak
response at a Banking Committee hearing with Securities
and Exchange Commission (SEC) Chairman Jay Clayton last
year. Similarly, in the aftermath of the 2013 Target
breach that exposed the debit and credit card
information of 40 million customers, Sen. Warner chaired
congressional hearing on
protecting consumer data from the threat posed by
hackers targeting retailers’ online systems. Sen. Warner
has also partnered with the National Retail Federation
to establish an
information sharing platform that allows the industry to
better protect consumer financial information from data
breaches.Warner, Warren Introduce Legislation to Hold
Credit Reporting Agencies like Equifax Accountable for
To view a fact sheet about the legislation, click here.
The bill text can be found here.