Equifax Would Have Paid $1.5bn Under New US Breach Laws
Senators have proposed new legislation which would impose strict liability penalties on credit agencies (CRAs) in the event of a data breach.
The act would establish an Office of Cybersecurity at regulator the FTC which would have responsibility for annual inspections and supervision of security-related issues.
Most notably, it would impose mandatory financial penalties starting at $100 for every customer who has one piece of personally identifiable information (PII) compromised, with $50 per additional piece of PII. Half of the money collected would be used to compensate the victims.
These fines could rise even higher if there’s evidence of inadequate cybersecurity or delayed breach reporting.
Under the new legislation, Equifax would have been forced to pay an estimated $1.5bn fine following its September 2017 breach, according to senator Elizabeth Warren.
"The financial incentives here are all out of whack – Equifax allowed personal data on more than half the adults in the country to get stolen, and its legal liability is so limited that it may end up making money off the breach," she said in a statement.
"Our bill imposes massive and mandatory penalties for data breaches at companies like Equifax – and provides robust compensation for affected consumers – which will put money back into people’s pockets and help stop these kinds of breaches from happening again."
Although the US led the way globally with mandatory breach reporting laws a few years back, it is the EU GDPR which now sets the standard. Under the new data protection regulation, Equifax would likely have seen significant fines, due to the number of UK consumers affected.
Consumer and security groups appear to support the legislation.
“This bill establishes much-needed protections for data security for the credit bureaus,” said National Consumer Law Center staff attorney, Chi Chi Wu.
“It also imposes real and meaningful penalties when credit bureaus, entrusted with our most sensitive financial information, break that trust.”
Source: Information Security Magazine