Working to Hold Equifax Accountable

Elizabeth Warren and Mark Warner Unveil Legislation to Hold Credit Reporting Agencies Accountable for Data Breaches

In September 2017, Equifax announced that hackers had stolen sensitive personal information — including Social Security Numbers, birth dates, credit card numbers, driver’s license numbers, and passport numbers — of over 145 million Americans. The attack highlighted that credit reporting agencies like Equifax hold vast amounts of data on millions of Americans but lack adequate safeguards against hackers. When consumers’ data are exposed, many purchase credit monitoring services from the same companies that compromised their personal information in the first place.

Full text of the bill is available here.

Warren-Warner Bill Would Establish Cybersecurity Inspections for Credit Reporting Agencies, Impose Mandatory Penalties for Security Breaches, & Compensate Consumers for Stolen Data

Under this legislation, Equifax would have paid at least $1.5 billion in penalties as a result of its latest data breach.

United States Senators Elizabeth Warren (D-Mass.) and Mark Warner (D-Va.) today introduced the Data Breach Prevention and Compensation Act to hold large credit reporting agencies (CRAs) — including Equifax — accountable for data breaches involving consumer data. The bill would give the Federal Trade Commission (FTC) more direct supervisory authority over data security at CRAs, impose mandatory penalties on CRAs to incentivize adequate protection of consumer data, and provide robust compensation to consumers for stolen data.

“The financial incentives here are all out of whack — Equifax allowed personal data on more than half the adults in the country to get stolen, and its legal liability is so limited that it may end up making money off the breach,” said Senator Warren. “Our bill imposes massive and mandatory penalties for data breaches at companies like Equifax — and provides robust compensation for affected consumers — which will put money back into peoples’ pockets and help stop these kinds of breaches from happening again.”

The Data Breach Prevention and Compensation Act would establish an Office of Cybersecurity at the FTC tasked with annual inspections and supervision of cybersecurity at CRAs. It would impose mandatory, strict liability penalties for breaches of consumer data beginning with a base penalty of $100 for each consumer who had one piece of personal identifying information (PII) compromised and another $50 for each additional PII compromised per consumer. Under this legislation, Equifax would have had to pay at least a $1.5 billion penalty for their failure to protect Americans’ personal information. To ensure robust recovery for affected consumers, the bill would also require the FTC to use 50% of its penalty to compensate consumers and would increase penalties in cases of woefully inadequate cybersecurity or if a CRA fails to timely notify the FTC of a breach.

“In today’s information economy, data is an enormous asset. But if companies like Equifax can’t properly safeguard the enormous amounts of highly sensitive data they are collecting and centralizing, then they shouldn’t be collecting it in the first place,” said Senator Warner. “This bill will ensure that companies like Equifax — which gather vast amounts of information on American consumers, often without their knowledge — are taking appropriate steps to secure data that’s central to Americans’ identity management and access to credit.”

Previously, Elizabeth Warren Took the Outgoing CEO of Equifax to Task in a Senate Hearing

Read more about the exchange here.

Elizabeth Warren Also Introduced the FREE Act to Give Consumers Control of their Data

The Freedom from Equifax Exploitation (FREE) Act would give control over credit and personal information back to consumers.

Credit reporting agencies like Equifax collect personal financial data on millions of Americans and rake in billions of dollars in annual revenue selling this information to others. If consumers wish to limit how credit reporting agencies use this information — such as by placing a credit freeze on their credit file — they often have to pay a fee to the agency, even though consumers never gave the agency permission to collect their data in the first place. The FREE Act helps address this problem by creating a federal requirement for credit reporting agencies to freeze (as well as temporarily or permanently unfreeze) access to credit files at a consumer’s request and at no cost.

The FREE Act would also prevent credit reporting agencies from profiting off of consumers’ information during a freeze, enhance fraud alert protections, and provide the opportunity for consumers to receive an additional free credit report following the Equifax data breach. Finally, the bill would force Equifax and the other credit reporting agencies to refund any fees they charged for credit freezes in the wake of the Equifax data breach.

Days After the Breach, Elizabeth Warren Launched Her Own Investigation into Equifax’s Delayed & Lackluster Response

Shortly after news of the Equifax breach broke, Elizabeth Warren launched a broad investigation into the causes of the breach, the response by Equifax, and how to address problems at credit reporting agencies and better protect consumers.

In addition to Equifax, she wrote to the credit reporting agencies TransUnion and Experian, to the Federal Trade Commission and Consumer Financial Protection Bureau on oversight actions prior to and following the breach; and to the Government Accountability Office to request a thorough investigation into consumer data security.