Equifax’s mishandling of their data breach in 2017 will have consequences-not only for their customers but for all CRA’s (Credit Reporting Agencies) in the US. All consumers need to be aware of their personal data and what they can do to safeguard this data. The question is can the government legislate penalties to ensure safety. Most agree that something needs to be done, so that another breach of this magnitude and mishandling does not occur again.
There are two pieces of legislation currently making their way through congress; both are directly related to Equifax’s 2017 breach that compromised as many as 143 million records.
1. The Data Breach Prevention and Compensation Act
The first piece of legislation is the Data Breach Prevention and Compensation Act, created by Elizabeth Warren (D-MA) and Mark Warner (D-VA). It proposes a that a new Office of Cyber Security be opened under the Federal Trade Commission for oversight of CRA agencies. The new office would conduct annual inspections and be responsible for regulating CRA’s adherence to data security guidelines.
The legislation would impose mandatory penalties for consumer data breaches, starting at $100 per each piece of data breached and increasing $50 more, for each additional piece of data breached. The maximum penalty would be up to 50% of the CRA’s previous year’s gross revenue. Additionally, the bill would allow the FTC to allot 50% of the penalty to compensate consumers. If the CRA in question is found to have inadequate cybersecurity guideline adherence or if it fails to notify the FTC of a breach within 10 days, per record penalties would double and the maximum penalty would increase to 75% of the agency’s gross revenue for the prior year.
Senator Warren said, “The financial incentives here are all out of whack – Equifax allowed personal data on more than half the adults in the country to get stolen, and its legal liability is so limited that it may end up making money off the breach.”
Many Consumer Groups and cybersecurity experts are expressing support for the new legislation; including the Consumer Protection and Privacy at Consumer Federation of America, U.S. Public Interest Research Group (PIRG), and the Electronic Privacy Information Center.
2. The Freedom from Equifax Exploitation (FREE) Act
The second piece of legislation is much smaller and more concise, called The Freedom from Equifax Exploitation (FREE) Act, introduced in September 2017. The bill aims, in part, to prevent the CRA from profiting from consumer information during a breach, by restricting the sale of consumer information under a credit freeze. It also will require CRAs to provide procedures for lifting a credit freeze at no charge to the consumer, along with a variety of provisions for fraud alerts.
The clear message to businesses in general – Be responsible in your cybersecurity efforts. The Government is lagging behind the industry in legislating a solution for safeguarding the public. But it will soon catch up.