Consumer Data Breaches: New Legislation on the Way?
On March 1, 2018, Representative Ted Liu (D-CA-33) introduced two pieces of consumer protection legislation. Notably, the announcement came on the same day that Equifax revealed that an additional 2.4 million people were affected by last year’s breach.
The “Protecting Consumer Information Act of 2018” will expand the Federal Trade Commission’s (FTC’s) enforcement authority over credit reporting agencies and service providers of credit reporting agencies. In particular, the FTC will utilize section 501 of the Graham-Bleach-Bliley Act to require consumer reporting agencies to maintain sufficient safeguards to protect consumer information against cyberattacks. Accordingly, the FTC will then conduct investigations. Furthermore, under this bill, state attorneys general will have the power to bring enforcement actions and obtain both monetary and injunctive relief for the consumers.
The “Ending Forced Arbitration for Victims of Data Breaches” bill will prohibit entities from enforcing mandatory arbitrary clauses in data breach cases, including cases involving identity theft. Specifically, the bill designates arbitration clauses as “unfair and deceptive” business practices under the FTC rules. The bill expressly outlines a private right of action for the consumer, in addition to the powers of the FTC and the state’s attorney general to bring a lawsuit.
Both pieces of legislation would expand the FTC’s authority over breaches in the credit-reporting sector. However, Liu’s is not the first attempt to do so. In January, Elizabeth Warren (D-MA) and Mark Warner (D-VA) also introduced a bill to establish cybersecurity standards for credit bureaus and institute financial penalties targeting firms that are breached.