May 07, 2019

Warren, Warner, Cummings, Krishnamoorthi Reintroduce Legislation to Hold Equifax and other Credit Reporting Agencies Accountable for Data Breaches

Bill Would Impose Mandatory Penalties for Breaches, Require Cybersecurity Inspections, and Compensate Consumers for Stolen Data

Under This Legislation, Equifax Would Have Paid At Least $1.5 Billion in Penalties for 2017 Data Breach

Lawmakers Unveil New Report Showing Equifax Still Failing Consumers Long After Data Breach and Write to Regulators Demanding Action

Bill Text (PDF)Fact Sheet (PDF)

New Report on Equifax Complaints (PDF)

Letter to the Federal Trade Commission (PDF)Letter to the Consumer Financial Protection Bureau (PDF)

Washington, DC - United States Senators Elizabeth Warren (D-Mass.) and Mark Warner (D-Va.), along with Representatives Elijah E. Cummings (D-Md.), Chairman of the House Committee on Oversight and Reform, and Raja Krishnamoorthi (D-Ill.), today reintroduced the Data Breach Prevention and Compensation Act to hold large credit reporting agencies (CRAs)-including Equifax-accountable for data breaches involving consumer data. The bill would give the Federal Trade Commission (FTC) more direct supervisory authority over data security at CRAs, impose mandatory penalties on CRAs for data breaches to incentivize adequate protection of consumer data, and provide robust compensation to consumers for stolen data.

Senators Warren, Warner and Representative Krishnamoorthi, along with Senator Brian Schatz (D-Hawaii), also issued a new analysis of consumer complaints to the Consumer Financial Protection Bureau (CFPB), which revealed that in the 18 months after the Equifax breach was announced, consumers filed over 52,000 complaints related to Equifax, nearly double the number from the same period before the breach was announced. The report shows how the company is still failing consumers by providing inadequate responses to consumer complaints over the course of several months and refusing to remove incorrect information from credit reports despite consumers contacting Equifax multiple times, among other concerns. The senators and Representative Krishnamoorthi also wrote to the FTC and CFPB attaching their new report and asking the agencies to take action.

"It's been nearly two years since Equifax put more than half of the adults in this country at risk by opening the doors to hackers, and this new report shows that this problem is far from fixed," said Senator Warren. "Our bill would hold companies like Equifax accountable for failing to protect consumer data, compensate consumers injured by these breaches, and help ensure that these breaches never happen again."

"It's been nearly two years since hackers accessed the personal information of more than 143 million Americans, yet thousands of individuals continue to grapple with the effects of this massive breach," said Senator Warner. "As personal data becomes more and more valuable in today's information economy, and the scale and impact to consumers of mega-breaches increase, there need to be increased consequences for companies like Equifax that mishandle or neglect to properly safeguard consumer data. By imposing strict penalties for data breaches and facilitating compensations for affected Americans, this legislation will increase accountability and help ensure that credit reporting agencies actively prioritize the security of sensitive consumer information."

"The Equifax data breach was one of the largest and most consequential in United States history," said Congressman Cummings. "It was a wake-up call that credit reporting agencies are not adequately protecting the American public's personal data.  Last year, I released a staff report with a number of specific recommendations Congress could take to protect consumers from future cyber attacks, and I am happy that many of those recommendations are now included in the bill we are introducing today.  These companies must be held accountable when they fail to protect the personal data entrusted to them by American consumers."   

"Working for the people means protecting the personal data of consumers and holding companies accountable for data breaches that compromise consumer health and safety," said Congressman Raja Krishnamoorthi. "As the Chair of the Oversight Subcommittee on Economic and Consumer Policy, I am proud to co-lead this bicameral legislation to prevent the negligence and abuses which could lead to the next consumer data breach."

In September 2017, Equifax announced that hackers stole sensitive personal information -- including Social Security Numbers, birth dates, credit card numbers, driver's license numbers, and passport numbers -- of over 143 million Americans, a number later revised up to 145.5 million people. The attack highlighted that CRAs hold vast amounts of data on millions of Americans but lack adequate safeguards against hackers. Since 2013, Equifax reported at least four separate hacks in which sensitive personal data were compromised.

The Data Breach Prevention and Compensation Act would:

  • Establish an Office of Cybersecurity at the FTC tasked with annual inspections and supervision of cybersecurity at CRAs.
  • Impose mandatory, strict liability penalties for breaches involving consumer data, beginning with a base penalty of $100 for each consumer who had one piece of personal identifying information (PII) compromised and another $50 for each additional PII compromised. Under this bill, Equifax would have paid at least a $1.5 billion penalty for their failure to protect Americans' personal information.
  • Ensure a robust recovery for affected consumers by requiring the FTC to use 50% of its penalty to compensate consumers.
  • Increase penalties in cases of woefully inadequate cybersecurity or if a CRA fails to provide timely notification to the FTC of a breach.
  • Enhance FTC enforcement by giving the FTC civil penalty authority under the Gramm-Leach-Bliley Act, as recommended by a Government Accountability Office report requested by Senator Warren and Representative Cummings.

The analysis of Equifax complaint data prepared by the offices of the senators and Representative Krishnamoorthi found that consumers continue to file complaints against Equifax at a higher rate than before the breach. Specific findings of this new analysis include:

  • In 18 months between September 7, 2017, when Equifax announced the breach of sensitive consumer information, and March 6, 2019, consumers filed 52,031 complaints related to Equifax.
  • The majority of these complaints-30,372-were filed in one year between March 8, 2018, and March 7, 2019 - revealing that Equifax was still failing to address customer concerns long after the breach was revealed.
  • Overall, complaints stemming from Equifax's failure to respond effectively to consumer problems make up at least 82% of the complaints about the company in the last year. 

The report also found a shift in the type of CFPB complaints filed against Equifax in recent months, indicating that consumers have encountered more and more difficulties with Equifax's response to the breach, and that the problems it has caused millions of Americans do not appear to be fully resolved.

The lawmakers' full report, titled Breach of Trust: CFPB's Complaint Database Shows Failure to Protect Consumers after Equifax Breach, can be read here.

The Data Breach Prevention and Compensation Act is supported by cybersecurity experts and consumer groups:

"This bill requires the FTC to provide much-needed oversight of the credit bureaus for data security. It also imposes real and meaningful penalties when the credit bureaus, who hold our most sensitive financial information, fail to adequately protect that information. I commend Senator Warren, Senator Warner, and Congressmen Cummings and Krishnamoorthi for their continuing efforts to prevent another massive security failure like the Equifax data breach," said National Consumer Law Center Staff Attorney, Chi Chi Wu.

"A concrete response to a serious problem facing American consumers. The ongoing risk of data breach and identity theft have reached epidemic proportions. We clearly need more expertise in the federal government to address this challenge. We hope the Senate will more forward this important and timely effort to safeguard American consumers and Internet users," said Electronic Privacy Information Center President and Executive Director, Marc Rotenberg

"Equifax still hasn't paid a price two years after losing the financial DNA of 150 million Americans. That's why U.S. PIRG commends Senator Warner, Senator Warren, and Congressmen Cummings and Krishnamoorthi for reintroducing the Data Breach Prevention and Compensation Act. The bill provides strong oversight and meaningful financial penalties to incentivize the credit bureaus to protect our data," said U.S. PIRG Consumer Campaign Director, Mike Litt.

"Making the companies that collect and sell consumers' personal information liable when they fail to secure it is a necessary step in ensuring our privacy rights," said Former Chief Technologist at the FTC, Ashkan Soltani.

Read more statements of support here. View a fact sheet about the legislation here. View the bill text here.