Two senators are proposing a bill that would give the Federal Trade Commission (FTC) the power to levy heavy fines against credit reporting agencies that breach consumers’ personal information.
Senators Elizabeth Warren (D-MA) and Mark Warner (D-VA) introduced the Data Breach Prevention and Compensation Act of 2018 on January 10, 2018. It is a direct response to last year’s Equifax breach, in which 145.5 million people’s data was exposed after criminal hackers exploited a weakness in the organization’s software.
“The financial incentives here are all out of whack,” Warren said in a statement. “Equifax allowed personal data on more than half the adults in the country to get stolen, and its legal liability is so limited that it may end up making money off the breach.”
What does the bill propose?
If passed into law, the bill would give the FTC the authority to fine breached agencies $100 per affected consumer, with an extra $50 for each additional piece of data put at risk. The fines would be capped at 50% of the organization’s gross revenue.
The penalty doubles if the organization fails to disclose the breach to regulators promptly or has insufficient cybersecurity measures in place. Half of the money would be redistributed to the affected consumers.
The bill also calls for the FTC to establish a new cybersecurity office that would monitor credit reporting agencies’ cybersecurity practices.
Warren, who has gained an unexpected cult following, has been less popular in the Senate. Last year, she twice tried to pass reforms in the wake of the Equifax hack, but neither bill made it out of committee. The proposals are thought to have failed because they were too broadly prescriptive, but this latest attempt is more akin to the Health Insurance Portability and Accountability Act (HIPAA), creating sector-specific standards.
However, Francis Creighton, the president and CEO of the Consumer Data Industry Association, which represents Equifax, Experian, and TransUnion, believes this bill has the same flaws. “The agencies already comply with the same rigorous data protection standards as banks,” he told CNET.
“We do not believe the Warren/Warner bill provides a balanced solution to an increasingly complex problem that affects every part of the economy – including the federal government.”
Will it be passed into law?
This bill will have a hard time passing through a Republic-controlled Senate in its current form, but the traction it has gained so far evidences a bipartisan acknowledgement that cybersecurity needs to be addressed by government. Cybersecurity became a major talking point among governors last year, and it’s only a matter of time before significant reforms are passed.
In the meantime, all eyes will be on the New York Department of Financial Services, as all covered entities are required to certify to the state’s Cybersecurity Requirements by February 15, 2018. Depending on the success of this Regulation, other states might implement similar requirements.
If you’re not already focusing on cybersecurity in your organization, it’s about time you did. Achieving compliance with existing laws can be tricky, as cybersecurity and data breach notification laws in the US are currently regulated by a patchwork of industry-specific federal laws and state legislation whose scope and jurisdiction vary.
This problem may ease as new laws are passed, but you can address cybersecurity now and prepare for the long-run by implementing ISO 27001, the international standard that describes best practice for an information security management system (ISMS).
An ISMS is a system of processes, documents, technology, and people that helps to manage, monitor, audit, and improve your organization’s information security. It helps you manage all your security practices in one place, consistently and cost-effectively.
For more information on how the Standard can help your organization, take a look at our free brochure: How to overcome your data security compliance challenges. This guide explains:
- How a cybersecurity program can protect your information assets and help avoid legal penalties
- Items to consider when establishing a robust cybersecurity program
- What is involved in implementing an ISMS
- The benefits of certifying to ISO 27001