Elizabeth Warren's bill would fine the next Equifax for data breach

A proposed law in the Senate requires credit reporting agencies to protect the data it amasses on American consumers from hackers -- or pay the price.

Laura Hautala Former Senior Writer
Laura wrote about e-commerce and Amazon, and she occasionally covered cool science topics. Previously, she broke down cybersecurity and privacy issues for CNET readers. Laura is based in Tacoma, Washington, and was into sourdough before the pandemic.
Expertise E-commerce | Amazon | Earned wage access | Online marketplaces | Direct to consumer | Unions | Labor and employment | Supply chain | Cybersecurity | Privacy | Stalkerware | Hacking Credentials
  • 2022 Eddie Award for a single article in consumer technology
Laura Hautala
2 min read
Sen. Mark Warner and Sen. Elizabeth Warren talk with each other in a Senate meeting room before the start of a hearing in 2015.

Sen. Mark Warner, D-Va., and Sen. Elizabeth Warren, D-Mass., talk before a Senate hearing in 2015. On Wednesday, the senators introduced legislation that would let the FTC fine credit reporting agencies in the event of a data breach.

Getty Images

Two Democratic senators want to make the law tougher on credit reporting agencies that get breached by hackers, like Equifax did in 2017. 

Sen. Elizabeth Warren of Massachusetts and Sen. Mark Warner of Virginia introduced a bill Wednesday that aims to make data breaches hurt companies' bottom lines. The bill addresses problems the lawmakers say let credit reporting agencies collect consumer data without doing enough to protect it from hackers.

"The financial incentives here are all out of whack," Warren said in a statement. "Equifax allowed personal data on more than half the adults in the country to get stolen, and its legal liability is so limited that it may end up making money off the breach."

If passed into law, the bill would give the US Federal Trade Commission the authority to inspect the companies that collect vast amounts of financial data on consumers to make sure they're protecting that information. It would also let the agency fine them in the event of a data breach, to the tune of $100 per affected consumer as a minimum. Half of that money would be redistributed to the consumers caught up in the data breach.

"The agencies already comply with the same rigorous data protection standards as banks," said Francis Creighton, President and CEO of the Consumer Data Industry Association, which represents Equifax as well as Experian and TransUnion. "We do not believe the Warren/Warner bill provides a balanced solution to an increasingly complex problem that affects every part of the economy -- including the federal government.  

"However, we look forward to continuing to work with Congress to ensure we maintain a vibrant and innovative system that protects consumers without impeding their access to credit," he added.

In the case of the Equifax breach, that would have meant a fine of at least $14.3 billion. However, the fines would be capped at 50 percent of a company's gross revenue from the prior year.

Former Equifax CEO Richard Smith told lawmakers that a combination of human error and technical problems prevented the company from patching a critical software bug in time. Hackers used a known vulnerability in software running a computer application called Apache Struts to breach the company's systems, Equifax said.

Watch this: Equifax's massive data breach just got worse

Warren tried last year to pass reforms in the wake of the Equifax hack, too. She proposed a bill that would have required credit reporting agencies to let consumers freeze their credit indefinitely, and unfreeze it at any time, at no cost. Her other bill would have prevented employers from making hiring decisions based on credit reports. Neither bill made it out of committee before the end of the legislative year.

Technically Incorrect: Bringing you a fresh and irreverent take on tech.

Special Reports: CNET's in-depth features in one place.