Credit reporting agencies that suffer
security glitches could be hit with hefty new fines under a bill introduced Wednesday by two Democratic lawmakers.
The "Data Breach Prevention and Compensation Act," unveiled by Senators Mark Warner
(D-Virginia) and Elizabeth Warren (D-Massachusetts), would subject credit reporting agencies like Equifax to mandatory penalties of $100 per customer who had a piece of personally identifying
information compromised. The measure would tack on an additional $50 for each extra piece of personal identifying information compromised.
The proposed bill comes four months after Equifax
disclosed that hackers obtained personal information including names, Social Security numbers, birthdays and addresses -- of more than 140 million people. Company officials knew about the breach for
at least six weeks before disclosing it.
The type of personal information covered by the bill includes names, Social Security numbers, drivers' license numbers, passport numbers, and biometric
data like faceprints or fingerprints. Companies' total fines could come to between 50% and 75% of their gross revenue, depending on factors like whether they promptly disclosed the breach.
The
measure also tasks the Federal Trade Commission with creating data security regulations for credit reporting agencies. The FTC has previously prosecuted businesses like Wyndham hotels over
cybersecurity breaches, but those cases were often tied to the companies' privacy policies.
For instance, an appellate court ruled in 2015 that the FTC could prosecute Wyndham for allegedly using "unfair"
data security practices, like failing to encrypt credit card information, but connected the decision to the hotel's promise to use reasonable security measures. "A company does not act equitably when
it publishes a privacy policy to attract customers who are concerned about data privacy, fails to make good on that promise by investing inadequate resources in cybersecurity, exposes its unsuspecting
customers to substantial financial injury, and retains the profits of their business," the 3rd Circuit Court of Appeals wrote in that case.
Warren and Warner aren't the only lawmakers to
introduce legislation connected to the Equifax data breach. Last year, Sens. Edward J. Markey (D-Mass,), Richard Blumenthal (D-Conn.), Sheldon Whitehouse (D-R.I.) and Al Franken (D-Minn.) introduced
the Data Broker Accountability and Transparency Act, which would give consumers the right to prevent their
information from being sold by data brokers for marketing purposes.