New legislation seeks to hold credit rating firms accountable for data breaches

The Data Breach Prevention and Compensation Act would impose a base penalty of $100 for every consumer whose details are compromised. But will it ever see the light of day?

The Equifax data breach was one of last year’s biggest cybersecurity stories. But as the dust starts to settle on a data protection scandal that garnered global press coverage, widespread public condemnation, and even saw the credit rating firm’s former CEO feel the heat of a Congressional hearing, the question remains: What exactly has been done to ensure data breaches of this scale are avoided in the future?

In the days following the company’s admission that shoddy OpSec practices resulted in the personal information of more than 145 million US residents (and millions of others around the world) being compromised, Equifax’s share price tumbled below the $100 mark for the first time in nearly two years.

Three months on, however, the company’s stock has recouped more than half of its losses – and if previous high-profile corporate hacks are anything to go by, it’s likely that the downturn will become nothing more than a mere blip in the company’s quest to deliver maximum returns to its shareholders.

Ultimately, it seems that consumers will once again be the ones left paying the price.

This situation could soon change, however, after US senators Mark Warner and Eilzabeth Warren this week introduced the Data Breach Prevention and Compensation Act, which is aimed at holding large credit reporting agencies (CRAs) – including Equifax – accountable for data breaches involving consumer data.

The bill would give the Federal Trade Commission (FTC) more direct supervisory authority over data security at CRAs, impose penalties to incentivize adequate protection of consumer data, and provide compensation to those whose data was compromised.

The cornerstone of the new legislation is the call for mandatory, strict liability penalties for breaches of consumer data, beginning with a base penalty of $100 for each consumer who had one piece of personally identifiable information (PII) compromised and another $50 for each additional PII compromised per consumer.

To put these figures into context, if the legislation had been enacted prior to September 2017, Equifax would now be faced with costs amounting to more than $1.5 billion.

“The financial incentives here are all out of whack,” Senator Warren said in a statement. “Equifax allowed personal data on more than half the adults in the country to get stolen, and its legal liability is so limited that it may end up making money off the breach.

“Our bill imposes massive and mandatory penalties for data breaches at companies like Equifax – and provides robust compensation for affected consumers – which will put money back into peoples’ pockets and help stop these kinds of breaches from happening again.”

In the two days since the Data Breach Prevention and Compensation Act was unveiled, the legislation has attracted the support of numerous consumer associations and countless individuals.

“This bill establishes much-needed protections for data security for the credit bureaus. It also imposes real and meaningful penalties when credit bureaus, entrusted with our most sensitive financial information, break that trust,” said National Consumer Law Center staff attorney, Chi Chi Wu.

“Senator Warner and Senator Warren have proposed a concrete response to a serious problem facing American consumers,” said Electronic Privacy Information Center president, Marc Rotenberg.

The potentially ruinous fines stipulated in the Data Breach Prevention and Compensation Act are certainly enough to capture the attention of any credit rating agency board member, but will the bill ever make it to the Senate floor? Some have said this is wishful thinking.

“Similar breaches affecting Sony, Home Depot, Target and scores of other major companies in recent years have failed to convince Congress to adopt new federal rules governing how and when companies inform customers of a data breach,” noted Recode’s Tony Romm.

Anticipating a flood of lobbying efforts should the bill gain traction, others have argued that the Democrat-led legislation stands little chance of being graced with the signature of a Republican president.

Moreover, by way of comparison, those in favor of the new bill may balk at the prognosis of the Data Security and Breach Notification Act, which was introduced to Congress last November and aims to create the first-ever federal standard for punishing corporate data breaches.

According to Skopos Labs, this bill – which shares many similarities with the credit rating agency-focused Data Breach Prevention and Compensation Act – currently stands a 1% chance of being enacted.

Although many remain adamant that the freshly-tabled consumer protection bill has little chance of moving forward, there is one thing of which we can be sure: high-profile data breaches such as those experienced by Equifax will continue to hit the headlines over the coming months and years.

And as more and more consumers become affected by the loss of personal data, it’s not a question of if, but when the law will be changed to ensure companies – and the executives who steer them – are made accountable.

“In today’s information economy, data is an enormous asset,” Senator Warner said. “But if companies like Equifax can’t properly safeguard the enormous amounts of highly sensitive data they are collecting and centralizing, then they shouldn’t be collecting it in the first place.”