Senators Mark Warner (D-Va.) and Elizabeth Warren (D-Mass.) have reintroduced legislation to force credit reporting agencies (CRAs) to pay a baseline $100 penalty for every piece of consumers’ personal data they compromise.
The bill is a direct response to the Equifax data breach. As the senators noted in the press release, under this bill, “Equifax would have had to pay at least a $1.5 billion penalty for their failure to protect Americans’ personal information.”
The bill, the Data Breach Prevention and Compensation Act, would also establish a cybersecurity office at the Federal Trade Commission (FTC) “tasked with annual inspections and supervision of cybersecurity at CRAs.”
The stark penalties and regular reviews could incentivize financial services companies to invest in good cybersecurity and avoide breaches of their users’ personal information. Cybersecurity is a growing problem in several industries as companies digitize, collecting ever-increasing amounts of data on their users and customers, and then storing that data in the cloud, which many experts fear is too easily compromised.
Warner and Warren introduced the bill right before the Senate Banking, Housing and Urban Affairs committee hearing on privacy and data collection on Tuesday, where members of the committee slammed financial services and social media companies alike for playing fast and loose with consumer data.
“Equifax put 150 million Americans’ info out there, they took a small dip in the stock market, and the fact that they haven’t paid a penalty or a fine is outrageous,” Warner said at the hearing.
Maciej Ceglowski, founder of Pinboard, a web service that allows you to organize and keep track of your bookmarked webpages, told senators at the hearing that tech companies across financial services and social media industries need regulation because they’ve broken consumers’ and regulators’ trust.
“As a small businessman in a big industry, I fear we are losing the trust of our users,” he said. “People are being asked to make irrecoverable decisions about their online lives over and over again. The pattern that I’ve seen in my industry is one of deceit. We’re not honest about what we collect, what we use it for, and we are ashamed, frankly, of our business models. You’ll never get someone from Google or Facebook to speak honestly about what they’re doing with your data.”
U.S. regulation doesn’t incentivize businesses to innovate in a consumer-friendly way, he said, which only feeds the problem.
“They don’t like regulation and see a way around it,” he said. “We don’t like banking regulation, so we invent cryptocurrency. We don’t like anti-discrimination regulation, so we use machine learning and blame the algorithm.”
Even the European Union’s GDPR, often heralded as a consumer-friendly privacy regulation, may not be truly consumer friendly. Silicon Valley wants GDPR-like rules in the U.S., but Ceglowski said that might not be the best route for U.S. consumers.
GDPR is “a weapon by those who don’t want their data practices examined,” he said, because websites and tech companies “bludgeon” consumers with hundreds of notifications with opt-in requirements to track or collect potentially sensitive data. When they’re bombarded with all those notifications, he said, they’re not going to read them, which means tech companies still control the process and consumers still can’t really avoid tracking or data collection.
But Warner and Warren’s bill could force tech companies to change how they handle consumers’ data.
Lindsay Gorman, an adjunct fellow with the Center for Strategic and International Studies (CSIS) and CEO of Politech Advisory, previously worked on Warner’s tech policy staff and said this bill is “definitely a test case for other industries.”
“I think it’s pretty good, it’s tackling one problem,” Gorman told InsideSources. “Legislation that shores up cybersecurity when there may not be a compelling business case for leaks and hacks to be reported and no business interest to doing that, we really need an incentive. There’s also a collection action problem. Our cybersecurity is only as strong as the individual players, like Equifax. There are massive vulnerabilities, in healthcare, the automotive sector. I think this is one way of trying to incentivize investment in cybersecurity that might not be at the top of a company’s priority list.”
As industries like financial services, healthcare and auto continue to digitize, she said, they’re not necessarily thinking about cybersecurity or protecting consumers’ data. This bill incentivizes investment, which is good not only for the cybersecurity industry, but for the companies and consumers they serve.
“It’s not because [some companies] are doing anything wrong in the present, but because it hasn’t really been part of the threat model,” Gorman said. “Hospitals care deeply about protecting private medical data, but when you have 23andMe and DNA companies storing ostensibly personal information, a lot of them are startups. Have they invested in cybersecurity and the resources they need? I think that’s a bit open.”
The bill also shows another side of how Warren, a 2020 presidential candidate, may address tech-related issues if she wins the White House. Warren already said she wants to use antitrust law to break up Big Tech, but this bill shows Silicon Valley isn’t the only industry she plans to rebuke and rein in if she perceives harm to consumers.
