Save Us From the Data Breach Prevention and Compensation Act

The New York Post (yeah, we'll read anything) reported that:

"Sen. Elizabeth Warren (Mass.) and Sen. Mark Warner (Va.), unveiled a bill to place stricter regulations on credit reporting agencies and impose hefty penalties for future data breaches. The Data Breach Prevention and Compensation Act places credit reporting agencies under the watch of the Federal Trade Commission and establishes a brand new FTC Office of Cybersecurity. The FTC would be required to penalize the agencies $100 per customer for every bit of personally identifiable information that “is exposed or is reasonably likely to have been exposed to an unauthorized party” — and $50 for every additional piece of information, according to the bill. The FTC would be required to give at least 50 percent of that as compensation to victims."

This is a disaster in the making for a number of reasons. In no particular order:

  1.  We don't need another Office. A contributing factor to past regulatory failures has been the splintering of overseeing parties (to wit, see the 1,798,456 bodies governing banking). Cybersecurity is a problem that impacts a wide-ranging set of industries, not just those under the purview of the FTC. What's going to happen when every industry-specific regulatory body sets up an "office of cybersecurity"? The answer is confusion and pandemonium. Oh, and increased costs of doing business that will be passed on to consumers.
  2. The criteria for penalties is vague and...uh....unreasonable. What does "reasonably likely to have been exposed" means? It's conceivable that, as we speak, every consumer's data in every one of the reporting agencies has already been exposed. Who's going to prove or disprove this "reasonableness" factor? And what are "additional pieces of information"? Does every database field impacted count as an "additional piece of information"?
  3. How will victims actually get compensated? Here's an idea: Maybe everyone can give the reporting agencies their checking account routing and account numbers, and the agencies can just transfer the penalty payment through ACH.

The bill would be a gold mine for gold-digging cyber lawyers trying to prove that data was "reasonably likely" to have been exposed based on no evidence of an actual breach. As Brian Krebs, one of the preeminent experts in data security has said:

"People began freaking out after the Equifax breach, but this data has been broadly available for sale in the cybercrime underground on a significant portion of the American populace for years.”

It would be nice if Congress tried to help find ways to identify and penalize the perpetrators of the breaches, instead of just penalizing companies who are actually victims themselves. You would think that they believe that Equifax didn't care about data protection and privacy, and didn't take steps to prevent the breach.

Think of it this way: Should we fine a bank if a bank robber enters a branch, sticks a gun in a teller's face, and takes some cash? Conceptually, this is no different from the data breach problem.

Not that I want to sound like I'm defending Equifax, mind you. The company surely didn't handle the breach well. But that doesn't make the proposed DBPCA a good idea. It's not even a good acronym.

Ron Shevlin
Director of Research
Cornerstone Advisors