Will Congress Upend Credit Reporting Agencies’ Cybersecurity Regulation in Light of Recent Data Breach?

Senators Elizabeth Warren (D-Mass.) and Mark Warner (D-Va.) introduced the Data Breach Prevention and Compensation Act on January 10, 2018 in an effort to increase accountability of large Credit Reporting Agencies (CRAs) for data breaches involving consumer data. The bill, drafted in response to the September 2017 Equifax data breach revelations, seeks to impose direct administrative supervision over data security at CRAs, mandatory penalties on CRAs for data breaches, and increased compensation to consumers for stolen data.

In a press release issued this morning, Senator Warner explained that “[t]his bill will ensure that companies like Equifax – which gather vast amounts of information on American consumers, often without their knowledge – are taking appropriate steps to secure data that’s central to Americans’ identity management and access to credit.”

The major impacts of this proposed bill are three-fold.

1. Strict Liability Penalties

Most notably, the proposed bill seeks to impose strict liability penalties for breaches involving consumer data at CRAs. The current regulatory landscape for CRAs does not mandate penalties for consumer data breaches and, instead, provides for discretionary penalties based upon culpable conduct. In a departure from the status quo, this proposed “strict liability” means a CRA would be subject to automatic penalties for a data breach, even if there is no allegation that the CRA acted negligently or was otherwise culpable for allowing such a breach to occur.

The proposed mandatory strict liability penalties are uniquely heavy-handed as well – starting with a base penalty of $100 per consumer with one piece of personal identifying information compromised. Any additional pieces of personal identifying information compromised per consumer will be subject to a $50 penalty, with a total penalty capped at 50 percent of the CRA’s gross revenue from the prior year.

The bill also proposes to double the automatic per-consumer penalties and increase the maximum penalty to 75 percent of the CRA’s gross revenue in cases where the offending CRA fails to comply with the Federal Trade Commission’s data security standards or fails to timely notify the agency of a breach. This final provision appears to be a direct response to allegations that Equifax delayed notifying consumers and government agencies after its breach occurred.

2. Distribution of Penalty Proceeds

The second major impact of the bill concerns the proposed distribution of penalty proceeds. Current law does not require governmental agencies to distribute penalty proceeds to the affected consumers. The proposed bill seeks to change this status quo, requiring the FTC to use 50 percent of any penalty to compensate consumers. The remainder is allocated to the FTC to conduct cybersecurity research and inspections.

3. Direct Supervision of CRAs’ Cybersecurity by FTC

Speaking of the FTC, the third major impact of the bill is the proposed vesting of the FTC with direct supervision of cybersecurity at CRAs. The FTC currently lacks the authority to oversee the credit reporting industry as a whole, and CRAs in particular.

The bill attempts to fill that perceived regulatory void by creating an Office of Cybersecurity at the FTC to conduct annual inspections and ongoing supervision of cybersecurity at CRAs. Senators Warren and Warner propose that a new career official, to be known as the Director of Cybersecurity, should be appointed and tasked with supervising this office. One additional feature of the bill is that it proposes to authorize this new FTC office to promulgate new regulations outlining effective data security standards for CRAs and require CRAs to implement such standards by seeking injunctive relief in federal courts.

What Should CRAs Expect?

Given these proposals, what should CRAs expect moving forward? For starters, the proposed scope of the bill is limited to CRAs generating more than $7 million in annual revenue from the sales of consumer reports – meaning that only the largest CRAs would be affected. For entities within the bill’s purview, however, a regulatory sea change would be expected if it became law. The strict liability standard, in particular, would entirely upend the current liability landscape for CRAs and would require covered CRAs to essentially act as insurers of the security of the consumer data they possess.

The FTC’s proposed abilities to impose harsh strict liability penalties without a finding of culpable conduct and to seek injunctive relief to require that CRAs implement security measures of its choosing would likely constitute a significant burden to CRAs beyond what is currently required by federal law.

 

Likelihood of Bill Becoming Law

From a purely political perspective, a treacherous road appears to be ahead for the bill to become law. Democrats, of course, do not currently control either chamber of Congress and would need to build bipartisan support to pass the bill. It appears unlikely that President Trump would sign the bill into law, given his disinclination to enact new regulations and his stated goal to deregulate various related industries.

The financial services industry should not entirely discount the bill, however, as the Equifax breach affected a significant portion of the nation’s population, including lawmakers, and appeared to anger lawmakers from both parties. Thus, if a significant quantum of grassroots and lawmaker anger remains after the Equifax breach, the political will to enact this law may exist after all.