• by Wendy Davis  @wendyndavis, January 10, 2018

Credit reporting agencies that suffer security glitches could be hit with hefty new fines under a bill introduced Wednesday by two Democratic lawmakers.

The "Data Breach Prevention and Compensation Act," unveiled by Senators Mark Warner (D-Virginia) and Elizabeth Warren (D-Massachusetts), would subject credit reporting agencies like Equifax to mandatory penalties of $100 per customer who had a piece of personally identifying information compromised. The measure would tack on an additional $50 for each extra piece of personal identifying information compromised.

The proposed bill comes four months after Equifax disclosed that hackers obtained personal information including names, Social Security numbers, birthdays and addresses -- of more than 140 million people. Company officials knew about the breach for at least six weeks before disclosing it.

The type of personal information covered by the bill includes names, Social Security numbers, drivers' license numbers, passport numbers, and biometric data like faceprints or fingerprints. Companies' total fines could come to between 50% and 75% of their gross revenue, depending on factors like whether they promptly disclosed the breach.

The measure also tasks the Federal Trade Commission with creating data security regulations for credit reporting agencies. The FTC has previously prosecuted businesses like Wyndham hotels over cybersecurity breaches, but those cases were often tied to the companies' privacy policies.

For instance, an appellate court ruled in 2015 that the FTC could prosecute Wyndham for allegedly using "unfair" data security practices, like failing to encrypt credit card information, but connected the decision to the hotel's promise to use reasonable security measures. "A company does not act equitably when it publishes a privacy policy to attract customers who are concerned about data privacy, fails to make good on that promise by investing inadequate resources in cybersecurity, exposes its unsuspecting customers to substantial financial injury, and retains the profits of their business," the 3rd Circuit Court of Appeals wrote in that case.

Warren and Warner aren't the only lawmakers to introduce legislation connected to the Equifax data breach. Last year, Sens. Edward J. Markey (D-Mass,), Richard Blumenthal (D-Conn.), Sheldon Whitehouse (D-R.I.) and Al Franken (D-Minn.) introduced the Data Broker Accountability and Transparency Act, which would give consumers the right to prevent their information from being sold by data brokers for marketing purposes.