The views and opinions expressed in this article are those of the author(s) and do not necessarily reflect the opinions and/or policies of Debt.com.
Credit reporting agency Equifax was the most complained-about financial company last year, according to Consumer Financial Protection Bureau data.
That’s not surprising, given it was responsible for:
- an entirely preventable massive data breach that affected a third of Americans…
- and didn’t notice it for over two months…
- and waited more than another month to tell anyone…
- And then handled the fallout very poorly.
It was a stunning show of incompetence from start to finish, and now Congress wants to make sure it will never happen again. Or that if it does, it hurts the company more than it hurts consumers.
Senators Elizabeth Warren — who helped create the CFPB — and Mark Warner introduced a bill last week that would create hefty fines for negligent credit reporting agencies…
The Data Breach Prevention and Compensation Act would set mandatory fines at $100 for each consumer who has a piece of personally identifiable information compromised and another $50 for each additional piece of personal identifiable data. The penalties would be capped at 50% of the credit reporting agencies’ gross revenue from the prior year — except in cases of extreme negligence, in which case the fine would go up to 75% of the companies’ prior year gross annual revenue.
Let’s say this law was in place for the last breach, which affected as many as 145.5 million Americans. At a minimum that sounds like a $145 billion fine.
But there were definitely multiple pieces of “personal identifiable data” compromised — we know “the hackers accessed people’s names, Social Security numbers, birth dates, addresses and, in some instances, driver’s license numbers,” according to the FTC. “They also stole credit card numbers for about 209,000 people and dispute documents with personal identifying information for about 182,000 people.”
If we discount names, that’s three extra pieces of data per person, plus an additional piece of data for 391,000 people. Which brings the total to… almost $364 billion. That would be more than enough to hit the fine cap even if Equifax made as much as Apple and Amazon do.
Paying up for negligent security
The fines would be capped based on 2016 revenue, which the company said was a record $3.1 billion. So the fine would be either $1.55 billion or $2.3 billion, depending on the definition of “extreme negligence.” I would certainly argue Equifax deserved the higher fine.
Half that money would also end up going to affected consumers, according to Recode’s reading of the bill. That would probably be somewhere between $8 and $15 per consumer.
Not a big win for individuals, but it would be huge for Americans. All three credit bureaus would be quaking in their boots if this law ever made it to a vote, and immediately start upgrading their data security practices. And while the law wouldn’t cover other financial companies, you can bet a lot of them would be assessing their data protection protocols, too.
The bill would also give the FTC regulatory oversight of credit reporting agencies, something really only the CFPB worries about right now. While the Trump administration doesn’t seem likely to pursue new consumer credit regulations through either avenue, it would be a powerful shield under future leadership.
This law probably won’t pass, but something like it should. Data breaches are inevitable, but they shouldn’t be the fault of negligent companies Americans simply can’t avoid.
Article last modified on July 12, 2018. Published by Debt.com, LLC . Mobile users may also access the AMP Version: It’s Time for Data Breaches to Have Consequences - AMP.
Article last modified on July 12, 2018. Published by Debt.com, LLC .