Proposed Legislation Would Create Office of Cybersecurity at FTC

Punitive Data Breach Legislation Proposed Post-Equifax

Two Democratic senators, Elizabeth Warren, D-Mass., and Mark Warner, D-Va, introduced a bill Wednesday that would provide the Federal Trade Commission (FTC) with punitive powers over the credit reporting industry -- primarily Equifax, Credit Union and Experian -- for poor cybersecurity practices.

The bill is in response to the huge Equifax breach disclosed in September, 2017. "Equifax allowed personal data on more than half the adults in the country to get stolen, and its legal liability is so limited that it may end up making money off the breach," said Senator Warren in a Wednesday statement.

If the bill succeeds, it will become the Data Breach Prevention and Compensation Act of 2018. It will create an Office of Cybersecurity at the FTC, "headed", says the bill (PDF), "by a Director, who shall be a career appointee." This Office would be responsible for ensuring that the CRAs conform to the requirements of the legislation, and would have the power to establish new security standards going forwards.

The punitive power of the Act comes in the level of the potential fines, beginning with a base penalty of $100 for each consumer who had one piece of personal identifying information (PII) compromised and another $50 for each additional PII compromised per consumer. On this basis, were the Act already in force, Equifax would be facing a fine of at least $1.5 billion. 

Under current law, say the lawmakers, it is difficult for consumers to get compensation when their personal data is stolen. Typical awards range from $1 to $2 per consumer. This bill requires the FTC to use 50% of its penalty to compensate consumers.

The maximum penalty is capped at 50% of the credit agencies' gross revenue from the previous year. This dwarf's even the EU's General Data Protection Regulation (GDPR) maximum fine set at 4% of global revenue -- but it gets worse: it could increase to 75% of gross revenue where the offending CRA fails to comply with the FTC's data security standards or fails to timely notify the agency of a breach.

The bill requires CRAs to notify the FTC of a breach within 10 days of the breach -- it doesn't at this stage specify whether that is 10 days from the breach occurring, or 10 days from discovery of the breach. Within 30 days of being so notified, the FTC is then required to "commence a civil action to recover a civil penalty in a district court of the United States against the covered consumer reporting agency that was subject to the covered breach."

While 50% of any recovered money is to compensate the victims of the breach, the remaining 50% is to be used for cybersecurity research and inspections by the FTC's new Office of Cybersecurity.

"In today's information economy, data is an enormous asset. But if companies like Equifax can't properly safeguard the enormous amounts of highly sensitive data they are collecting and centralizing, then they shouldn't be collecting it in the first place," said Sen. Warner. "This bill will ensure that companies like Equifax -- which gather vast amounts of information on American consumers, often without their knowledge -- are taking appropriate steps to secure data that's central to Americans' identity management and access to credit."

How much traction this bill will receive in the Senate remains to be seen, but it reflects the general dismay felt by the size of the Equifax breach -- which could have been prevented if patches had been applied. It is not the first Equifax-related legislative proposal, but it is by far the most punitive. In November 2017, New York State Attorney General Eric T. Schneiderman introduced the Stop Hacks and Improve Electronic Data Security Act (SHIELD Act) to improve security specifically within New York State. 

SHIELD fines are capped at $250,000, and the disclosure requirement is vague: "The disclosure shall be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement..." Put very simply, both proposals are designed to improve the security of their respective 'covered entities' (CRAs are covered in both bills), but SHIELD seeks to do so in a 'business friendly' manner, while the Data Breach Prevention and Compensation Act of 2018 seeks to do so in a 'consumer friendly' manner.

Original author: Kevin Townsend