In what appears to be a direct response to last year’s Equifax Breach, Senators Elizabeth Warren and Mark Warner introduced, this week, the Data Breach Prevention and Compensation Act, directly targeting large Credit Reporting Agencies (“CRAs”) like Equifax, Experian, and TransUnion. The Act comes with quite a sting, allowing for fines of up to 75% of a CRA’s gross revenue. (Put that in your pipe GDPR.) Of course, the bill is simply proposed at this point, in a political environment that disfavors additional regulations. But some of the provisions may forecast where we are headed as a nation in cyber security regulation.
FTC gets a Cyber Security Office and a Director
In relation to CRAs, the FTC would assume authority to supervise, to promulgate cyber regulations, to annually inspect data security measures, and to investigate regulation noncompliance or potential breaches.
Automatic Penalties Attach to Covered Breaches
Covered CRAs suffering a data breach involving consumer personally identifiable information (“PII”) are subject to fines in strict liability, meaning the fine attaches as a result of the lost PII rather than the CRA’s culpability—$100 for each consumer where a name and one item of PII is compromised, plus $50 for each additional item. The fines are capped, however, at 50% of a CRA’s yearly gross revenue, unless it fails to notify the FTC of a breach or violates any FTC regulation, in which case the fines are doubled up to 75% yearly gross revenue.
Penalties Go Back to the Consumers
In an unusual twist, the Act calls for 50% of the penalty proceeds to be distributed among the affected consumers. Theoretically, then, a consumer suffering a loss of name, social security number, driver’s license number, and two credit card numbers would stand to receive a check for $125, which could help pay for additional ID theft monitoring or credit freezes.
The other 50% of the proceeds is directed to FTC cybersecurity research and inspections of the CRAs.