Senators Propose Data Breach Law, Office of Cybersecurity

Senators Propose Data Breach Law, Office of Cybersecurity

Yesterday U.S. Senators Elizabeth Warren (D-Mass.) and Mark Warner (D-Va.) introduced legislation aimed at penalizing credit reporting agencies that allow data breaches.

Recode reports that the bill would target agencies like TransUnion, Experian and Equifax, and would level fines in the case of a breach of Personally Identifiable Information (PII). American Banker describes the financial penalties in detail as:

…$100 for each consumer who has a piece of personally identifiable information compromised and another $50 for each additional piece of personal identifiable data. The penalties would be capped at 50% of the credit reporting agencies’ gross revenue from the prior year — except in cases of extreme negligence, in which case the fine would go up to 75% of the companies’ prior year gross annual revenue.

The bill would also create an FTC Office of Cybersecurity to police the new regulations and enforce fines. FCW reports that the new Office of Cybersecurity would be responsible for:

…regulating cybersecurity for companies that earn in excess of $7 million a year from the sale of consumer information. Under the bill, such companies would be charged with sharing with the FTC details of their strategy and methods to avoid data breaches, including information about network security, device management, software inventories, access privileges, data encryption, patch management, remote and local data storage and more.

On a related note, in an op-ed for the New York Times just last week, Zeynep Tufecki lamented that:

As things stand, we suffer through hack after hack, security failure after security failure. If commercial airplanes fell out of the sky regularly, we wouldn’t just shrug. We would invest in understanding flight dynamics, hold companies accountable that did not use established safety procedures, and dissect and learn from new incidents that caught us by surprise.