Senators Elizabeth Warren (D-Mass.) and Mark Warner (D-Va.) reintroduced the Data Breach Prevention and Compensation Act to hold large credit reporting agencies (CRAs)-including Equifax-accountable for data breaches involving consumer data. 

The bill would give the Federal Trade Commission (FTC) more direct supervisory authority over data security at CRAs, impose mandatory penalties on CRAs for data breaches to incentivize adequate protection of consumer data, and provide robust compensation to consumers for stolen data.

The Data Breach Prevention and Compensation Act would:

  • Establish an Office of Cybersecurity at the FTC tasked with annual inspections and supervision of cybersecurity at CRAs.
  • Impose mandatory, strict liability penalties for breaches involving consumer data, beginning with a base penalty of $100 for each consumer who had one piece of personal identifying information (PII) compromised and another $50 for each additional PII compromised. Under this bill, Equifax would have paid at least a $1.5 billion penalty for their failure to protect Americans' personal information.
  • Ensure a robust recovery for affected consumers by requiring the FTC to use 50 percent of its penalty to compensate consumers.
  • Increase penalties in cases of woefully inadequate cybersecurity or if a CRA fails to provide timely notification to the FTC of a breach.
  • Enhance FTC enforcement by giving the FTC civil penalty authority under the Gramm-Leach-Bliley Act, as recommended by a Government Accountability Office report requested by Senator Warren and Representative Cummings.

A new analysis of consumer complaints to the Consumer Financial Protection Bureau (CFPB) was also issued, which revealed that in the 18 months after the Equifax breach was announced, consumers filed over 52,000 complaints related to Equifax, nearly double the number from the same period before the breach was announced.