Senate bill would give FTC new data breach authority

Two Senate Democrats are looking to create a new cybersecurity office at the Federal Trade Commission to police data breaches at credit reporting agencies.

In the wake of the Equifax breach, which saw more than 140 million consumer records compromised, Sens. Elizabeth Warren (D-Mass.) and Mark Warner (D-Va.) are looking to establish cybersecurity standards for credit bureaus and penalize firms that are breached.

The Data Breach Prevention and Compensation Act of 2018 would put the FTC in charge of regulating cybersecurity for companies that earn in excess of $7 million a year from the sale of consumer information. Under the bill, such companies would be charged with sharing with the FTC details of their strategy and methods to avoid data breaches, including information about network security, device management, software inventories, access privileges, data encryption, patch management, remote and local data storage and more.

Efforts to legislate around data breaches have typically focused on creating a national standard for notification. The Warren-Warner bill is more along the lines of the Health Insurance Portability and Accountability Act -- creating sector specific standards around data deemed sensitive.

"In today’s information economy, data is an enormous asset. But if companies like Equifax can’t properly safeguard the enormous amounts of highly sensitive data they are collecting and centralizing, then they shouldn’t be collecting it in the first place," Warner said in a statement.

Under the bill, companies that suffer breaches would incur a penalty of $100 per consumer, with additional penalties accruing for additional loss of personally identifiable information. Heavier fines could be levied in the case of "woefully inadequate cybersecurity" according to a press release announcing the bill. Covered companies would be required to report breaches within 10 days.

If passed into law, the measure would make credit bureaus among the most tightly regulated industries in terms of cybersecurity.

"Our bill imposes massive and mandatory penalties for data breaches at companies like Equifax – and provides robust compensation for affected consumers – which will put money back into peoples' pockets and help stop these kinds of breaches from happening again," Warren said.

Some consumer groups welcomed the news. "The credit bureaus are different from retailers or other entities that could be breached," Ed Mierzwinski, consumer program director of the U.S. Public Interest Research Group, said. "They hold a treasure trove of personal information valuable to identity thieves, but have long demonstrated a disdain for consumers, who they treat as products, not customers."

The bill would greatly expand the FTC's authority over data breaches in the credit-reporting sector, but a 2012 court decision affirmed the agency's basic ability to penalize companies for failing to take basic steps to protect data it collects on consumers. In a 2015 blog post the agency announced it had reached 53 settlements with companies for data security violations. That total has since expanded to 64, with the most recent settlement announced Jan. 8, 2018 against electronic toymaker Vtech over allegations that the company failed to encrypt registration information on 130,000 children using a web-based play platform.