Two senators on Wednesday proposed “massive and mandatory” fines for data breaches at Equifax Inc. and other credit reporting companies, starting at $100 for each consumer whose sensitive information is compromised.
The bill from Sens. Elizabeth Warren (D-Mass.) and Mark Warner (D-Va.) would add a $50 fine for each additional piece of compromised personally identifiable information for each consumer. The penalties would double in cases where the credit reporting firm did not comply with federal data security standards or failed to notify officials of the breach in a timely manner.
If the legislation had been in place when Equifax had a data breach last year that exposed the Social Security numbers and birth dates of as many as 145.5 million Americans, Equifax would have faced a fine of at least $1.5 billion, the senators said.
The bill, called the Data Breach and Compensation Act, would direct the Federal Trade Commission to funnel half of any fine to compensate affected consumers. The agency could levy fines of as much as 75% of the credit reporting company’s gross revenue from the prior year.
“Our bill imposes massive and mandatory penalties for data breaches at companies like Equifax — and provides robust compensation for affected consumers — which will put money back into people’s pockets and help stop these kinds of breaches from happening again,” Warren said.
An Equifax spokeswoman referred a request for comment to the Consumer Data Industry Assn., which represents credit reporting companies. Francis Creighton, the group’s president, said the companies “already comply with the same rigorous data protection standards as banks” and will work with Congress to find ways to protect consumers “without impeding their access to credit.”
“We do not believe the Warren/Warner bill provides a balanced solution to an increasingly complex problem that affects every part of the economy, including the federal government,” he said.
The Equifax data breach, made public in September, sparked bipartisan outrage, partly because the hack took place after the company failed for several months to fix a software flaw that federal officials had warned about in March.
Equifax also bungled the aftermath of the breach, waiting nearly six weeks to notify the public after learning of the hack and then initially making people give up their right to sue if they wanted free credit monitoring and identity theft protection. Equifax later backtracked on that requirement.
The company’s chief executive, Richard Smith, stepped down after the breach was disclosed, and lawmakers slammed him in congressional hearings last fall.
The bill from Warren and Warner is among several proposed in the wake of the Equifax breach, including one from a top House Republican that would stop credit reporting companies from using Social Security numbers to verify people’s identities.
"In today's information economy, data is an enormous asset,” Warner said Wednesday. “But if companies like Equifax can't properly safeguard the enormous amounts of highly sensitive data they are collecting and centralizing, then they shouldn't be collecting it in the first place.”
Despite the outrage, none of the bills have been approved by either chamber of Congress.
A bipartisan financial regulatory bill that passed the Senate Banking Committee last month would allow people to freeze and unfreeze their files with credit reporting companies and would require free credit monitoring for active-duty members of the military.
The bill from Warren and Warner shows the lawmakers are still angry about the Equifax breach, said Jaret Seiberg, a Washington policy analyst with brokerage and investment bank Cowen & Co.
The legislation is unlikely to be enacted, but makes it more difficult for credit reporting companies to soften the credit freeze requirements in the bipartisan bill that passed the Senate Banking Committee, Seiberg said in a research report.
Consumer and privacy advocates praised the new legislation, which also would create a cybersecurity office at the Federal Trade Commission to conduct annual inspections of credit reporting companies.