Vol. 54 No. 3

Trial Magazine

On the Hill

You must be an AAJ member to access this content.

If you are an active AAJ member or have a Trial Magazine subscription, simply login to view this content.
Not an AAJ member? Join today!

Join AAJ

Data Breach Legislation Finally in the Works

Jacqueline Kappler March 2018

After the news broke in September 2017 that credit reporting giant Equifax had been the target of several data breaches, cyber experts and everyday consumers alike expected Congress to legislate quickly to ensure such an egregious breach of personally identifiable information (PII) never happened again. Equifax was not the first case of its kind—Target, Home Depot, and Neiman Marcus, to name a few, all have had their computer systems breached and consumer PII stolen. But the rest of the year ticked by with no legislative action.

In January, Senators Elizabeth Warren (D-Mass.) and Mark Warner (D-Va.) introduced the “Data Breach Prevention and Compensation Act of 2018,” which should help turn the tide to enforce cybersecurity protocols and protect consumer data at consumer reporting agencies. A critical element of this bill is that it uses a three-pronged approach, incorporating essential safety principles such as prevention, financial incentives, and redress for injuries.

Reasonable safety standards in every field, especially emerging technologies, are essential to the civil justice system, and this bill takes steps to ensure that consumer reporting agencies are held to basic cybersecurity standards.

First, the bill authorizes the Federal Trade Commission (FTC) to regulate, supervise, and enforce cybersecurity for credit reporting agencies. This is crucial because the FTC can act quickly to mitigate inadequacies in cyber networks and prosecute negligent companies. The bill would create an Office of ­Cybersecurity at the FTC, which would be responsible for supervision and annual inspection of cybersecurity at credit reporting agencies.

The legislation also enhances civil penalties for credit reporting agencies whose systems are compromised, enacting a strict liability penalty of $100 for each consumer whose name and at least one piece of PII—such as a driver’s license number or Social Security number—is compromised, with $50 for each additional piece of PII. This is twice the current automatic per-customer penalty. It also would increase the maximum penalty to 75 percent of the consumer reporting agency’s gross revenue for the previous fiscal year in cases when the company failed to notify the FTC of the breach within 10 days of discovering it.

Finally, half of any penalty recovered by the FTC would go to consumers and the other half to the FTC for use in cybersecurity research. This will help consumers recover from a privacy breach even if cybersecurity safeguards have failed. Furthermore, by authorizing the FTC to provide both redress and self-funding through civil penalites, this legislation provides more resources for funding the inspection and supervision of credit reporting agencies by the Office of Cybersecurity.

This carrot-and-stick approach is supported by consumer groups and cyber experts. While the bill is not perfect—it doesn’t contain a civil cause of action or elaborate on specific best practices—with some small amendments, it could positively impact consumer privacy standards. Practicing good cyber safety should be the natural priority for companies, and by increasing penalties for bad cyber hygiene, this legislation would help ensure consumers are protected from the moment their data is collected.


Jacqueline Kappler is AAJ's federal relation counsel. She can be reached at jacqueline.kappler@justice.org. To contact AAJ Public Affairs, email advocacy@justice.org.