Last September, shortly after Equifax disclosed a massive data breach, regulatory agencies moved quickly to adopt regulations intended to better protect consumers from data breaches. Last week, Congress took a first step toward codifying such protections.
On January 10, 2018, Senators Elizabeth Warren (D-MA) and Mark Warner (D-VA) introduced the Data Breach Prevention and Compensation Act (the “Act”). The Act would establish a new Office of Cybersecurity within the Federal Trade Commission (the “FTC”), which would supervise consumer reporting agencies like Equifax and promulgate regulations requiring such agencies to disclose how they protect consumer data.
The Act would also impose harsh penalties on consumer reporting agencies that experience data breaches. Within ten days of a covered breach, an agency must notify the FTC of such breach. The FTC would then be entitled to commence a civil action against the agency, in which the FTC could impose a penalty of $100 for each consumer whose name and at least one item of personally identifying information (e.g., social security number) was compromised, plus an additional $50 for each additional item of personally identifying information compromised for each consumer. The total penalty would, however, be capped at 50% of the gross revenue of the consumer reporting agency unless the agency failed to comply with the Act or regulations.
Had this Act been in place at the time of the Equifax data breach, Equifax likely would have been subject to the maximum permitted penalty, due to the magnitude of the breach and Equifax’s failure to report the breach within ten days. With at least 145 million consumers affected in the data breach, and several items of personally identifying information stolen, the penalty could have reached several billion dollars.
The penalty, however, would not simply go to the government. Consumers affected by the data breach would be entitled to 50% of the penalty. This would be in addition to any other rights the consumers have under state or federal law and would present the first clear path for consumers to recover against consumer reporting agencies for data breaches. Currently, consumers are severely limited in their ability to recover damages from consumer reporting agencies.
While we do not expect the Act to be adopted, it will be interesting to follow and gain insight into how Congress believes it should respond to the growing number and magnitude of data breaches.