A group of U.S. congressional Democrats are proposing a law that would regulate data security at credit bureaus like Equifax, Experian, and TransUnion, setting minimum penalties for breaches at the companies and empowering the Federal Trade Commission (FTC) to regulate their security practices.
“It’s been over a year and a half since Equifax opened the doors to hackers who stole the personal data of more than half the adults in the country, and this new report shows that Equifax still has a long way to fix the problem it created,” said Senator Elizabeth Warren (D-MA), who is seeking her party’s presidential nomination, in a statement. “Our bill, which would hold companies like Equifax accountable for failing to protect consumer data, would compensate consumers injured by these breaches and help ensure that they never happen again.”
In addition to Warren, the bill is sponsored by Senator Mark Warner (D-VA), and by representatives Elijah Cummings (D-MD) and Raja Krishnamoorthi (D-IL). It would set a base penalty of $100 for each consumer who saw personal data leaked in a breach at a credit agency, plus an additional $50 for each piece of data leaked per consumer.
That would have resulted in a $1.5 billion penalty after the Equifax breach revealed in 2017, the bill’s sponsors estimate. So far, the U.S. government has not imposed any penalties on Equifax, but the company expects the FTC and Consumer Financial Protection Bureau (CFPB) to do so soon, it said in its annual report in February.
Equifax didn’t immediately respond to an inquiry from Fast Company.
Penalties could be higher still in the case of poor security practices, or if credit bureaus didn’t notify the FTC of breaches in a timely manner.
“By imposing strict penalties for data breaches and facilitating compensations for affected Americans, this legislation will increase accountability and help ensure that credit reporting agencies actively prioritize the security of sensitive consumer information,” Warner said in a statement.
The proposed law would also establish an Office of Cybersecurity at the FTC. It would have the power to conduct regular cybersecurity inspections at credit agencies and regulate their security practices.