Dems want to penalize credit companies whose data is breached

Sens. Elizabeth Warren and Mark Warner introduced legislation Wednesday targeting credit companies like Equifax and the way they respond to data breaches.

Warren, a Massachusetts Democrat, told CNN’s “New Day” that the legislation would enforce penalties for credit companies whose data was stolen. But with no Republican co-sponsors, the bill’s success is uncertain in a GOP-controlled Congress.

“We had a hearing in banking and asked a lot of questions about it of the former CEO of Equifax, and you know what we found out, Equifax might make money off the breach,” Warren told CNN’s Alisyn Camerota on “New Day.”

“Sen. Warner and I decided this was just fundamentally wrong and we are introducing a bill today to say that when a credit reporting agency let’s your data be stolen, that there are substantial automatic penalties that go into place and there’s money that automatically goes back to the people whose data has been stolen,” Warren said.

Cybercriminals penetrated Equifax, one of the largest credit bureaus, in July and stole the personal data of 145 million people. It was considered among the worst breaches of all time because of the amount of sensitive information exposed, including Social Security numbers.

The company only revealed the hack two months later. It could have an impact for years because the stolen data could be used for identity theft.

Firms, including Equifax, TransUnion and Experian, sell that data to banks, landlords, employers and other outlets so they can learn more about customers. Whether data brokers do enough to keep that private information secure is under scrutiny.

Former Equifax CEO Richard Smith, who stepped down after the breach was revealed, testified to Congress last year and blamed the security failure on one person who had since been fired.

“Two things would be different,” Warren said. “The first one is, Equifax would be paying a penalty that could be over $1 billion for its breach, but more to the point that would be the warning to Equifax and every other credit reporting agency — that if you do this, you are not going to walk away unscathed, and that means the credit reporting agencies will have a real reason to invest much more heavily in security.”

She added, “What we don’t want to have is for companies like this to say this is basically the price of doing business, we want to put a real penalty in place so they put in place the kind of security protections that legitimate firms should have.”

Warren grilled Smith during his testimony, arguing that Equifax was making money from its data breach.

Equifax offered consumers one year of credit monitoring for free to protect themselves from identity theft after the hack. After that, consumers will have to pay a standard rate of $17 per year.

CNN reported in October that 7.5 million Americans have signed up for the service through Equifax. If only one million individuals were to extend the service for an additional year, the company would earn more than $200 million in revenue as a result of this breach, Warren said during the hearing.

A message left with Equifax seeking response to Warren’s claim Wednesday was not immediately returned.

Data breach legislation has long been something members from both parties in Congress have pursued in response to significant breaches, but such efforts have thus far failed to achieve virtually any momentum besides committee action.