New Bill Would Fine Credit Bureaus For Careless Cyber Security Practices

On Wednesday, Jan. 10, new legislation was introduced in the Senate that is poised to strictly oversee the cyber security protocols of major credit reporting agencies (CRA).

The measure, entitled the Data Breach Prevention and Compensation Act, would broaden the U.S. government’s powers to enforce penalties for major data breaches – such as the 2017 Equifax hack that led to the exposure of sensitive information on 145 million Americans.

The legislation was introduced by Sens. Mark Warner (D-Va.) and Elizabeth Warren (D-Mass.), both of whom had previously called for stricter penalties for those companies negligent in their handling of massive data stores. If passed, the act would hold the CRAs accountable for mega-breaches and likely return funds to breached consumers, according to a report on the introduction by Recode.net.

Despite the expanding threat landscape, the senators attached to the bill appear to feel that it is time to implement measures to avoid or mitigate pervasive hacks. In fact, if passed, the measure would allow the Federal Trade Commission (FTC), which monitors organizational security practices, to fine CRAs $100 for each consumer whose personally identifiable information (PII) was included in a heist. Additionally, there would be a $50 fine for each additional piece of PII lumped into the incident.

As the Recode.net story notes, had the measure been on the books for the 2017 Equifax breach, the CRA could have been on the hook for a $1.5 billion fine. Penalties leveled on these agencies would correlate to their revenue, yet could increase if the organization’s security posture was not up to snuff.

See Related: Feds Joining Cyber Security ‘Dashboard’ For Real-Time Diagnostics

The Data Breach Prevention Act would reportedly return half of the money earned in fines to those affected.

The FTC would also be tasked with monitoring and regulating the information security measures of the CRAs. An FTC office to preside over cyber security would also be formed.

On the matter, Warner said, “In today’s information economy, data is an enormous asset. But if companies like Equifax can’t properly safeguard the enormous amounts of highly sensitive data they are collecting and centralizing, then they shouldn’t be collecting it in the first place.”

Similarly, Warren said, “The financial incentives here are all out of whack – Equifax allowed personal data on more than half the adults in the country to get stolen, and its legal liability is so limited that it may end up making money off the breach.”

Generally, the proposed bill appears to stem from the senators’ distaste for potentially lax security amongst the CRAs – whose data caches are quite expansive.

The Equifax incident appeared in scores of headlines in 2017, leading to hearings on the mega-breaches and inquiries into events at other top companies.

See Related: Tick, Tock: New SWIFT Security Regs Take Hold Jan. 1

Warren previously championed a bill (which was not advanced) that aimed to refund consumers forced to purchase credit-freezing services from CRAs, Recode.net notes.

According to Broadcasting & Cable (B&C), Consumer Federation of America’s Director of Consumer Protection, Susan Grant, said, “This bill creates greater incentive for these companies to handle our data with care and gives the Federal Trade Commission the tools that it needs to hold them accountable.”

The bill also comes at a time when the overall cyber security discussion has rapidly intensified in a number of circles – federal agencies, small and midsize businesses (SMB), large enterprises, financial institutions, enterprises presiding of protected health information (PHI), etc.

While the federal government sketches its own weighty cyber security platform, states and enterprises of all sizes have undertaken various initiatives to augment their security practices.

Further, while the number of breaches and other cyber incidents, including nation-state hacks, is projected to climb in 2018, the overall cyber spend is also projected to be on the rise.

This means that those in agency-settings and across sectors are willing to improve their security posture. This could be through various means: new solutions, frequent training sessions, internal phishing campaigns, etc.

Keep tabs on the Cyber Security Hub for further updates on the legislation!

Give It A Look: Incident Of The Week: 247K DHS Workers Exposed In Data Breach