New legislation introduced in the US Senate by Elizabeth Warren (D-MA) and Mark Warner (D-VA) would result in credit reporting agencies being slapped with stiff fines if they play fast and loose with data security.
The Data Breach Prevention and Compensation Act [PDF] would impose a mandatory $100 fine per person affected on credit agencies that leak customer records each with at least one piece of personal identifying information (PII), and an additional $50 fine for every other piece of PII exposed.
The fines would be administered by the Federal Trade Commission, and the legislation requires that at least half of any fines collected would be funneled back to citizens whose data had been lifted by hackers. The bill would also set up a director and office of cybersecurity that would perform regular checks on the IT security of credit agencies and could fine businesses up to 75 per cent of their annual gross revenues for egregious computer defense failings.
Stand up who HASN'T been hit in the Equifax mega-hack – whoa, whoa, sit down everyoneREAD MORE
"In today's information economy, data is an enormous asset. But if companies like Equifax can't properly safeguard the enormous amounts of highly sensitive data they are collecting and centralizing, then they shouldn't be collecting it in the first place," said Senator Warner.
"This bill will ensure that companies like Equifax - which gather vast amounts of information on American consumers, often without their knowledge - are taking appropriate steps to secure data that's central to Americans' identity management and access to credit."
Despite widespread outrage over the scale of the Equifax hack that was revealed in September – which exposed the private data of over 143 million Americans, more than 15 million records of Brits, and goodness knows who else – the firm has faced no fines or fallout, other than some tax-deductible clean-up charges.
Equifax is not alone in having shoddy practices. The National Credit Federation, a US credit repair biz, left 111GB of customer data on an open Amazon S3 bucket for thieves to find, although fortunately security researchers got there first and shut down that hole.
If this legislation had been enacted before the Equifax breach was revealed, the agency would be potentially facing a bill of at least $1.5bn, and possibly a lot more. Under the proposed rules fines for data breaches would, however, be capped at 50 per cent of a firm's gross annual revenue
"The financial incentives here are all out of whack - Equifax allowed personal data on more than half the adults in the country to get stolen, and its legal liability is so limited that it may end up making money off the breach," said Senator Warren.
"Our bill imposes massive and mandatory penalties for data breaches at companies like Equifax – and provides robust compensation for affected consumers - which will put money back into peoples' pockets and help stop these kinds of breaches from happening again."
The draft law has to clear the Senate and House of Reps before it gets anywhere near President Trump's pen. ®