Proposed Data Breach Prevention and Compensation Act of 2018
In what appears to be a direct response to last year’s Equifax Breach, Senators Elizabeth Warren and Mark Warner introduced, this week, the Data Breach Prevention and Compensation Act, directly targeting large Credit Reporting Agencies (“CRAs”) like Equifax, Experian, and TransUnion. The Act comes with quite a sting, allowing for fines of up to 75% of a CRA’s gross revenue. (Put that in your pipe GDPR.) Of course, the bill is simply proposed at this point, in a political environment that disfavors additional regulations. But some of the provisions may forecast where we are headed as a nation in cyber security regulation.
FTC gets a Cyber Security Office and a Director
In relation to CRAs, the FTC would assume authority to supervise, to promulgate cyber regulations, to annually inspect data security measures, and to investigate regulation noncompliance or potential breaches.
Automatic Penalties Attach to Covered Breaches
Covered CRAs suffering a data breach involving consumer personally identifiable information (“PII”) are subject to fines in strict liability, meaning the fine attaches as a result of the lost PII rather than the CRA’s culpability—$100 for each consumer where a name and one item of PII is compromised, plus $50 for each additional item. The fines are capped, however, at 50% of a CRA’s yearly gross revenue, unless it fails to notify the FTC of a breach or violates any FTC regulation, in which case the fines are doubled up to 75% yearly gross revenue.
Penalties Go Back to the Consumers
In an unusual twist, the Act calls for 50% of the penalty proceeds to be distributed among the affected consumers. Theoretically, then, a consumer suffering a loss of name, social security number, driver’s license number, and two credit card numbers would stand to receive a check for $125, which could help pay for additional ID theft monitoring or credit freezes.
The other 50% of the proceeds is directed to FTC cybersecurity research and inspections of the CRAs.
Seth is our official rocket scientist in residence. Hailing from NASA’s Mission Control Center, Seth brings a unique perspective to incident response, applying aspects of one of the world’s preeminent emergency operations platforms to cyber response. In addition to twenty-plus years’ of technical experience, Seth was previously a member of the data protection task force at a large law firm, and served as the lead Legal team member of an incident response team at a major U.S. airline. Seth is a certified business continuity professional, and he holds a juris doctorate, which is why he also wears the General Counsel hat at LEO.