Senate Dems target Equifax hack with giant fines in effort to curb future consumer data thefts

Top Senate Democrats introduced a bill Wednesday to curb massive theft of consumer data, in the wake of last year’s unprecedented Equifax hack, by dramatically increasing the fines credit reporting agencies must pay.

In September 2017, Equifax, one of America’s three major consumer credit reporting agencies, announced that hackers had stolen highly sensitive personal and financial information central for access to credit — including Social Security numbers, birthdates, credit card numbers, driver’s license numbers and passport numbers — of over 145 million Americans.

On Wednesday, Sen. Mark Warner, a Virginia Democrat who co-founded the Senate Cybersecurity Caucus, and Elizabeth Warren, a Massachusetts Democrat, introduced a bill to bolster the Federal Trade Commission’s (FTC) authority to impose significant fines whenever data is stolen from the credit-reporting agencies, Equifax, TransUnion and Experian.

Under their plan, the Equifax hack would have forced the Atlanta-based firm to pay over $1.5 billion in fines had the law been in place, the lawmakers estimated.

Last fall, the massive attack caused a barrage of interest on Capitol Hill as lawmakers were also deep into an investigation of Russia’s use of propaganda and disinformation across U.S. social media during the 2016 presidential election.

While the source of the Equifax breach remains unknown, cybersecurity experts floated numerous theories that nation-state backed hackers, possibly from North Korea, China or Russia were involved. Past hacks have seen operatives from those nations siphoning detailed personal and financial information from Americans for resale on the so-called Dark Web, or internet black market, where illegal activity is rampant.

“In today’s information economy, data is an enormous asset,” Mr. Warner said in a statement Wednesday. “But if companies like Equifax can’t properly safeguard the enormous amounts of highly sensitive data they are collecting and centralizing, then they shouldn’t be collecting it in the first place.”

Titled “The Data Breach Prevention and Compensation Act,” the proposal calls for establishment of an Office of Cybersecurity at the FTC.

The mandatory, strict liability fines that would be imposed start at $100 for each consumer per one piece of personal identifying information compromised, and another $50 for each additional piece of info a hacker steals. The total fine would be based on the credit-reporting agency’s revenue — and could increase if the firms fail to follow basic cybersecurity practices.

Under the bill, half of the fines collected by the FTC would be returned directly to effected consumers.

“The financial incentives here are all out of whack — Equifax allowed personal data on more than half the adults in the country to get stolen, and its legal liability is so limited that it may end up making money off the breach,” Ms. Warren said in a statement.