Federal clampdown on credit data cybersecurity breaches

Two senators have announced plans for new cybersecurity laws that will give the Federal Trade Commission (FTC) the power to penalize organizations handling consumer credit data that fail to properly safeguard against cybercriminals. The legislation, entitled the Data Breach Prevention and Compensation Act, was proposed by Senators Elizabeth Warren and Mark Warner, and would create a new office at the FTC charged with overseeing data protection in the face of increasing cybercrime.

If the legislation passes, it would mean severe penalties for credit rating companies who experience cybersecurity breaches that expose customer data. The fines would mean companies would have to pay $100 for every individual piece of “personally identifiable information” (PII) lost in a cybercrime attack, plus a further $50 for each additional PPI file per customer – which could result in large total fines in instances where cybercriminals access hundreds or thousands of individual customer records. The maximum penalty for agencies that fail to comply will equate to 50 percent of the organization’s gross revenue from the year prior to the breach.

The proposed bill would also give the FTC increased oversight and power over data protection standards. In the light of increased cybercrime in recent years, it compares to similar information protection legislation being enacted in other parts of the world, such as the General Data Protection Regulation (GDPR) which is due to come into force in the European Union later this year.

While the proposed fines for businesses that leave themselves exposed to cybersecurity breaches could be considered punitive, they are also intended to compensate the consumers whose personal data is exposed to cybercriminals in such attacks. Under the proposed legislation, 50 percent of the fines imposed by the FTC would be repaid to the victims as compensation, while the other half would be used to fund FTC security research and industry inspections, with the aim of helping to reduce the risks of exposure to cybercrime in the future.