A bill by Senate Democrats that would subject hacked credit agencies to heavy fines is another sign of mounting bipartisan pressure on the industry in the wake of the massive Equifax breach.
Introduced by Sen. Elizabeth Warren, (D-Mass.), and Sen. Mark Warner, (D-Va.), “The Data Breach Prevention and Compensation Act” would allow regulators to punish credit reporting agencies in the wake of the massive Equifax data hack. If the law had been in place during the breach, Equifax would have been on the hook for over $1 billion in fines.
Anger over the Equifax incident runs so thick in Congress that one analyst feels the Warren bill could pick up some Republican votes.
“Despite Elizabeth Warren's status as a leader of progressive Democrats, we could see this bill picking up bipartisan support,” Jaret Seiberg, the financial services and housing policy analyst for Cowen Washington Research Group, said in an email to clients. Seiberg also suggested that the bill by Warren and Warner could resurface in a broader bill that enjoys bipartisan support.
The bill gives the Federal Trade Commission (FTC) more direct supervisory authority over data security at all credit reporting agencies and would mandate penalties for credit reporting agencies when there is a security breach. It also provides for hacked consumers to be compensated. Compromised consumers would be entitled to $100 for the first piece of compromised personal information and $50 for each additional piece. Equifax would have paid $14.5 billion for breached Social Security numbers alone under the bill’s provisions.
The legislation would also require credit bureaus to offer free credit freezes to consumers affected by a data breach. This would prevent bureaus from selling consumer information while a freeze is in place.
The bill is being hailed by some bank analysts as balanced and there is even talk that its provisions could be attached to as a rider to the spending package congressional leadership is trying to pass by January 19. Both sides of the aisle in Congress have expressed outrage over Equifax’s September admission that hackers had breached the company’s software to access the personal data of over 144 million customers, obtaining Americans’ Social Security numbers, phone numbers and addresses.
A growing number of lawmakers believe that the federal government lacks the power to penalize credit reporting agencies that fail to protect their stores of sensitive consumer data, a potentially devastating enforcement gap as cyberattacks become more sophisticated and commonplace.
In the Senate, Sen. Chuck Grassley (R-Iowa), chair of the Senate Judiciary Committee, has called for a uniform breach notification standard and has said he’s been working with Sen. Dianne Feinstein (D-Calif.) on a bill to tighten disclosure rules.
In the House, Rep. Jeb Hensarling (R-Texas), chair of the House Financial Services Committee, has supported the creation of a national standard for notifying people impacted by data breaches.
"This approach says it's not about having a bunch of regulators come in and tell them how to design it. It's about saying there are real consequences if you do not provide adequate security for this data," Warren said during a press conference. "We are introducing a bill today to say that when a credit reporting agency lets your data be stolen, that there are substantial automatic penalties that go into place, and there's money that automatically goes back to the people whose data has been stolen."