The proposed legislation contemplates the creation of a separate cybersecurity office at FTC that will come up with new standards to prevent any consumer data breach.
Arguably the biggest data breach of 2017, approximately 143 million Americans’ sensitive personal data were compromised when hackers breached Equifax’s systems. A new bill authored by Senators Elizabeth Warren (D-MA) and Mark Warner (D-VA) wants to stop such data breaches at Equifax and other applicable credit reporting agencies (CRAs).
CRAs compile information that goes to a consumer’s credit report that will be pulled by lenders when he or she applies for a mortgage, etc. Under the new Senate bill, a newly created cybersecurity office will establish safeguards for consumer data and impose penalties on CRAs for putting consumer data at risk.
How Can the New Bill Protect Consumer Data?
The new Senate bill, formally Data Breach Prevention and Compensation Act of 2018, covers data breaches involving one personally identifying information, which the bill identifies as:
- An individual’s Social Security number, driver’s license number, passport number, alien registration or unique identification number issued by the government, and unique biometric data.
- An individual’s financial account numbers, e.g. credit and debit cards and any passcode to access these accounts.
- An individual’s first and last name or his or her first initial and last name in combination with his or her physical or mental health records whether past, present or future.
The bill will cover consumer reporting agencies pursuant to Section 603(p) of the Fair Credit Reporting Act or those with annual revenues not less than $7 million.
For purposes of this article, subsequent references to CRAs will mean covered CRAs.
The Office of Cybersecurity at FTC
The bill proposes to establish an Office of Cybersecurity at the Federal Trade Commission or FTC in order to supervise the security of consumer data at CRAs.
This dedicated cybersecurity office will have these main duties:
- Promulgate regulations on the effective data security for CRAs, primarily requiring these CRAs to provide descriptions of their security measures, asset management, network management and monitoring, and data security. On data security, CRAs must provide their encryption processes for data at rest and data in transit.
- Document that a CRA has established technical measures and processes for the “continuous monitoring of data, intrusion detection, and continuous evaluation and timely patching of vulnerabilities.”
- Examine on an annual basis the data security measures of CRAs in compliance with the relevant provisions.
- Investigate any CRA upon a suspected potential breach or noncompliance with the relevant standards.
- Coordinate with the National Institute of Standards and Technology (NIST) and the National Cybersecurity and Communications Integration Center (NCCIC) of the Department of Homeland Security.
- Develop methods that will evaluate, test and measure effective data security practices of CRAs.
- Determine whether CRAs are complying with the above regulations.
Penalties for Violating CRAs
One of the main thrusts of the new bill is to hold CRAs accountable for unduly exposing consumers data in the wide open.
Under the bill, the Office can sue a CRA over data breach in any U.S. District Court to recover civil penalties, as determined below:
A civil penalty of $100 for each consumer whose name and at least one item of PII was compromised, and an additional $50 for each additional item of PII compromised.
As Senators Warren and Warner said in a public statement, Equifax would have paid $1.5 billion in penalties for its failure to protect Americans’ personal information under the bill.