[BreachExchange] Warren, Warner propose 'massive' fines for breaches at credit bureaus

Audrey McNeil audrey at riskbasedsecurity.com
Fri Jan 12 13:58:07 EST 2018


The Data Breach Prevention and Compensation Act would provide the Federal
Trade Commission (FTC) with additional direct supervisory authority over
data security the agencies, as well as imposing penalties on the agencies
and providing consumers with compensation as a means of preventing future
breaches. The penalties would be capped at 50% of the credit reporting
agencies' gross revenue from the prior year - except in cases of extreme
negligence, in which case the fine would go up to 75% of the companies'
prior year gross annual revenue.

If the legislation had been in place when Equifax had a data breach a year
ago that exposed the Social Security numbers and birth dates of as many as
145.5 million Americans, Equifax would have faced a fine of at least $1.5
billion, the senators said.

The bill also mandates FTC uses half the collected fines to compensate
affected consumers and tacks on more penalties for agencies that lacked
adequate cybersecurity or failed to report a breach. Meanwhile, the
Democratic duo would empower the FTC to probe and regulate the data
security practices of credit-reporting agencies.

"We are introducing a bill today to say that when a credit reporting agency
lets your data be stolen, that there are substantial automatic penalties
that go into place, and there's money that automatically goes back to the
people whose data has been stolen", Warren told CNN's Alisyn Camerota on
"New Day".

"That would be the warning to Equifax, and to every other credit reporting
agency that, if you do this, you're not going to walk away unscathed..."
These entities aren't widely known, but they amass virtual warehouses of
information about all Americans.

Yet even these powerful Democrats still face a daunting challenge in
advancing their legislation to a vote on the Senate floor.

The company's chief executive, Richard Smith, stepped down after the breach
was disclosed, and lawmakers slammed him in congressional hearings last

Somehow, though, their intense, widespread criticism failed to translate
into any new, meaningful movement on a slew of bills that might have
addressed the problem.

Warner, who is the vice chairman of the Senate Select Intelligence
Committee, said if credit reporting agencies can't protect consumer data,
they shouldn't collect it. Warren, in fact, had been a key driver of that

This isn't the first bill to be proposed on the matter of breaches. Many
states have their own rules, which one major company - Uber - may have
flouted in its handling of a 2016 security incident.

The bill from Warren and Warner shows the lawmakers are still angry about
the Equifax breach, said Jaret Seiberg, a Washington policy analyst with
brokerage and investment bank Cowen & Co.

"If companies like Equifax can't properly safeguard the enormous amounts of
highly sensitive data they are collecting and centralizing, then they
shouldn't be collecting it in the first place", Warner said in a statement.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180112/e124567c/attachment.html>

More information about the BreachExchange mailing list