December 05, 2024

Warren, Warner, Shaheen Renew Push to Hold Equifax, Other Credit Reporting Companies Accountable for Data Breaches

Under this legislation, Equifax would have paid at least $1.5 billion in penalties for 2017 data breach

Bill Text (PDF) | One-Pager (PDF)

Washington, D.C. – U.S. Senators Elizabeth Warren (D-Mass.), Mark Warner (D-Conn.), and Jeanne Shaheen (D-N.H.), along with Representative Raja Krishnamoorthi (D-Ill.), reintroduced the Data Breach Prevention and Compensation Act, to hold credit reporting agencies accountable for data breaches involving consumer data.  

The 2017 Equifax hack revealed that Credit Reporting Companies (CRCs) collect enormous amounts of sensitive data—including Social Security numbers, birth dates, credit card numbers, and driver’s license numbers—from over 145 million Americans. They collect this data in order to profit off of its aggregation, to the tune of hundreds of millions of dollars per year. Cybersecurity experts found that this consumer data lacked proper safeguards against hackers. Seven years after that massive data breach, in 2024, consumers are still inadequately protected.

The Data Breach Prevention and Compensation Act gives the Federal Trade Commission (FTC) stronger authority over data security at CRCs, imposes strict financial penalties for failing to protect consumer data, and automatically compensates customers for stolen data. This bill would: 

  • Impose strict penalties for breaches involving consumer data at credit reporting agencies. Penalties begin at $100 for each customer who had one piece of personal identifying information compromised, with an additional $50 for each additional piece of information compromised per consumer. 
  • Ensure robust recovery for affected consumers by requiring the FTC to use 50% of penalties collected to compensate consumers. 
  • Establish an Office of Cybersecurity at the FTC that is tasked with annual inspections and supervision of cybersecurity at CRCs. The FTC will report to Congress on areas where it needs to enhance the agency’s authorities to fully address cyber-theft.
  • Increases penalties for cases of inadequate cybersecurity or failure to notify an agency of a breach. Doubles the automatic per-consumer penalties and increases the maximum penalty for cases where a CRC fails to follow the data security standards or fails to notify the FTC of a data security breach. 

“Credit reporting companies like Equifax shouldn’t be able to put millions of Americans at risk of identity theft and avoid real accountability,” said Senator Warren. “This bill ensures credit reporting companies take the proper precautions with consumer data.”

“More than half of American adults have had to grapple with the consequences of data breaches resulting from credit reporting agencies mishandling and failing to protect consumer data. By imposing strict penalties to hold companies accountable while facilitating compensation for affected Americans, our bicameral legislation will help prevent the abuses and negligence which could allow the next consumer data breach,” said Congressman Krishnamoorthi.  

“I have been sounding the alarm for years about the importance of protecting individuals' private and sensitive information, but all too often, our data gets into the wrong hands – without our knowledge or consent. I’m proud to introduce this legislation to hold companies like Equifax accountable for securing data that's central to Americans' identity management and access to credit," said Senator Warner.  

The following organizations co-sponsored the bill: National Consumer Law Center (on behalf of its low-income clients), Americans for Financial Reform, U.S. PIRG, and the Electronic Privacy Information Center (EPIC).

"This bill improves data security for the credit bureaus, to prevent breaches like the terrible one at Equifax in 2017. It also imposes real and meaningful penalties when credit bureaus, entrusted with our most sensitive financial information, break that trust. I commend Senator Warren for introducing it, and for her persistence on this important issue." - Chi Chi Wu, Senior Attorney, National Consumer Law Center

"Credit reporting agencies hold people's most sensitive information and we've already seen terrible examples of what can go wrong. This legislation provides powerful tools to incentivize robust data protection and hold companies accountable for data breaches and identity theft." - Christine Chen Zinner, Senior Policy Counsel, Americans for Financial Reform

“The steady increase in data breaches in recent years has made clear the need for stricter oversight of businesses’ data security practices, and Senator Warren’s bill does just that. Companies handling Americans’ most sensitive personal data must do all they can to protect it, and there should be penalties if they fail to do so. The Data Breach Prevention and Compensation Act is a common-sense measure that will protect consumers from harmful data breaches.” - Caitriona Fitzgerald, Deputy Director, Electronic Privacy Information Center (EPIC)

“Given the sensitive information credit reporting agencies have collected about us without our consent, they should do everything possible to properly safeguard our data from breaches, identity theft, and scams. The Data Breach Prevention and Compensation Act would provide the necessary oversight and financial penalties to ensure that credit bureaus take data protection seriously.” - Mike Litt, U.S. PIRG Consumer Campaign Director.

###