Senators Elizabeth Warren (D-Mass.) and Mark Warner (D-Va.) introduced a bill Wednesday that would allow the United States government to penalize Equifax and its peers with large fines for major cyber attacks and return that money to affected Americans.
The Data Breach Prevention and Compensation Act would grant the Federal Trade Commission authority to fine credit-reporting agencies, like TransUnion, Experian, and Equifax, $100 for each consumer whose personal information is stolen in a security breach and $50 for each additional piece of personal information compromised.
Massive data breaches like the Equifax hack cannot be the new normal. Introduced a bill with @SenWarren today to penalize companies that fail to protect your private data from hackers. pic.twitter.com/bxDEvInxWz
— Mark Warner (@MarkWarner) January 10, 2018
“Our bill imposes massive and mandatory penalties for data breaches at companies like Equifax — and provides robust compensation for affected consumers — which will put money back into peoples’ pockets and help stop these kinds of breaches from happening again,” Warren said in a statement.
Although the FTC launched an investigation into the Equifax data breach in September, it remains to be seen whether the company will be ordered to pay fines.
If this policy had been in place during the Equifax hack in September 2017 that affected 145 million Americans, the credit-reporting agency would have paid an estimated $1.5 billion in fines. The proposed bill ensures that half the money paid to the federal government is returned to those affected by the breach.
The bill proposes a cap on total fines based on the credit-reporting agency’s revenue, but the total penalty can be increased if basic cybersecurity practices weren’t followed.
“If companies like Equifax can’t properly safeguard the enormous amounts of highly sensitive data they are collecting and centralizing, then they shouldn’t be collecting it in the first place,” Warner said in a statement.
Despite the scale and frequency of recent hacks, including Equifax, Yahoo, Sony, Home Depot, and Target among others, lawmakers have not passed legislation to address the problem. Fortune has previously reported that for many of these companies, the cost of mishandling sensitive consumer data was less than 2% of sales for one year.
