We all still remember the Equifax data breach this past year. And some of us are still reeling from it. What’s interesting to me about the whole thing is that Equifax, aside from some bad PR, has walked away from this relatively unscathed. But there are two Democratic Senators who are looking to change this. More specifically, they are looking to broaden powers so the U.S. government can hand out massive fines if this were to happen again. Instead of keeping the money, the government would give some of that money back to the people affected by the breach. This is actually a really good idea.
This idea is the heart of the Data Breach Prevention and Compensation Act, which is going to be introduced on Wednesday. Interestingly enough, Mark Warner is involved in this bill – alongside Elizabeth Warren. I say that this is interesting because of his role in the social media/Russia interference investigation. Lawmakers agree, cyber attacks may be inevitable, but they also feel that the federal government doesn’t have any powers to do anything. And in this case, penalize entities that fail to protect their stores of sensitive consumer data.
The bill would grant the Federal Trade Commission with authority to fine credit-reporting agencies. This category includes TransUnion, Experian, and Equifax. Had this been the law at the time of the Equifax data breach, they would have been forced to pay $1.5 billion to the federal government. That’s a ton of cash. But at the same time, they deserve to pay it considering how lax they were about the whole thing, to begin with.
Why $1.5 billion exactly? The FTC would fine $100 for each consumer whose personal information was stolen by a hacker, and then they would add another $50 for each additional piece of personal information compromised per individual. The total fines would be capped based on the credit-reporting agency’s revenue, but it could increase if the agency failed to follow basic cybersecurity practices – like what Equifax did. Or didn’t do, as it were.
I did say that this was a good idea, and I stand behind that statement. But what I don’t think is “good” is that the consumer is only going to get $100 or $150 back for the breach. To me, that’s not good enough, and I would think that most people would agree with me on that one.
This proposal originates out of a broader frustration with the power and reach of credit-reporting agencies. These entities aren’t widely known, but they have a ton of virtual facilities filled with information about Americans. But this bill may not make it anywhere. Even with mutual disgust and outrage, they haven’t been able to come up with any progress on a slew of bills that could have addressed this problem. Congress couldn’t even advance basic legislation that aimed to refund customers who had to purchase credit freezes from the very credit-reporting agencies that had been hacked.
Which means this might not go anywhere. For now, though, they are stressing that their new bill is necessary in order to fix the skewed economics of cybersecurity. Right now, there is very little that the FTC can do, even in the wake of a cyber attack that affected 40% of the U.S.