Credit reporting agencies must pay the price for their breaches
By Raja Krishnamoorthi, Guest Columnist
“My life has been a complete nightmare, for I have been denied credit, turned down (for) employment and unable to provide adequate shelter for me and my sons.”
These are the plaintive words of an Illinois parent in a complaint filed with the federal Consumer Financial Protection Bureau — one of more than 145.5 million people subject to data breaches that exposed their personal information. Almost two years later, many of them are still suffering the consequences. It’s well past time that Congress did something about it.
In September 2017, the credit-rating agency Equifax announced that hackers had stolen its store of sensitive personal information — including Social Security numbers, birth dates, credit card numbers, driver’s license numbers and passport numbers. The attack highlighted that these private companies hold vast amounts of data on millions of Americans, but lack adequate safeguards against hackers. The victims of this breach continue to suffer the consequences:
“There are several fraudulent accounts reported on my credit (record),” said the Illinois parent. “I have fought with these credit agencies for over four months to remove this information. I have provided the credit agencies letters from the many companies advising me that I am not liable for the accounts and they would remove it. But for some reason these credit bureaus refuse …”
Unfortunately, this Illinois resident is not alone. A study published by my staff in conjunction with Senators Warren, Warner and Schatz found that in 18 months since Equifax announced the breach of sensitive consumer information, consumers filed 52,031 complaints related to Equifax. The majority of these complaints were filed between March 8, 2018 and March 7, 2019, revealing that Equifax was still failing to address customer concerns long after the breach was revealed. Overall, complaints stemming from Equifax’s failure to respond effectively to consumer problems make up at least 82 percent of the complaints about the company in the last year.
To hold Equifax and other credit reporting agencies accountable for future data breaches and to ensure that the victims are compensated quickly and fairly, Oversight Committee Chairman Elijah Cummings and I recently introduced legislation in the House to impose mandatory penalties for breaches, require cybersecurity inspections and compensate consumers for stolen data. Under the provisions of this bill, Equifax would have paid at least $1.5 billion in penalties for its 2017 data breach — with at least half of those funds going directly to the affected consumers.
Specifically, the Data Breach Prevention and Compensation Act would:
• Establish an Office of Cybersecurity at the Federal Trade Commission (FTC) to conduct annual inspections and supervision of cybersecurity at credit reporting agencies;
• Impose mandatory, strict liability penalties for breaches involving consumer data, beginning with a base penalty of $100 for each consumer who had one piece of personal identifying information compromised and another $50 for each additional piece;
• Ensure compensation for affected consumers by requiring the FTC to use 50 percent of its penalties to compensate consumers;
• Increase penalties in cases of inadequate cybersecurity or if a credit-reporting agency fails to provide timely notification of a breach; and,
• Enhance FTC enforcement by giving the FTC civil penalty authority as recommended by the nonpartisan Government Accountability Office.
The Data Breach Prevention and Compensation Act is supported by leading cybersecurity experts and consumer groups, including the National Consumer Law Center, the Electronic Privacy Information Center and the U.S. Public Interest Research Center (PIRG) Consumer Campaign.
In today’s economy, the personal information of consumers is the new gold standard and must be protected that way. Private companies that hold such information must provide adequate security and notify, protect and compensate consumers whenever that security is breached. The federal government can and must provide oversight to ensure these companies are doing their jobs and, when they fail, are making consumers whole.
It’s tough enough these days for families in Illinois and across our country to pay their mortgages, credit card bills and other family expenses. We cannot allow credit reporting agencies and other private companies to make life harder for families through no fault of their own. It’s time to hold them accountable for protecting our personal information — and to pay the price when they fail.
Congressman Raja Krishnamoorthi is a Democrat from Schaumburg.