The massive Equifax data breach last year exposed the personally identifying information of approximately 145 million consumers, including their full names, social security numbers, birth dates, and over 200,000 credit card credentials. The breach was announced months after hackers successfully obtained access to the sensitive financial information collected by Equifax.

Following the breach, the company was the subject of multiple congressional hearings and the target of numerous lawsuits filed by private parties and governmental agencies, including the Commonwealth of Massachusetts and the City of Chicago, among others. The media firestorm following this unprecedented breach has mostly subsided, but legislation is currently pending at the state and federal levels that seeks to hold credit reporting agencies accountable for data breaches and seeks to eliminate the costs associated with credit freezes.

State of Illinois

When the breach was announced, financial experts recommended that consumers place a freeze on their credit reports to limit their exposure to identity theft. A credit freeze allows you to restrict access to your credit report, which makes it more difficult for identity thieves to open new accounts in your name; however, it also limits your ability to obtain a loan without first temporarily lifting or removing the freeze. To do this you must pay a fee in Illinois.

With the introduction of House Bill 4095, Illinois seeks to join several states that prohibit credit reporting agencies from charging fees for placing credit freezes.1 The bill amends the Consumer Fraud and Deceptive Business Practices Act, which currently allows credit reporting agencies to charge consumers $10 to place a freeze on their credit and an additional fee to remove or temporarily lift the freeze.2

Because a freeze is most effective when placed with all three major credit reporting agencies, an Illinois consumer would incur a $30 cost to place the freeze. The consumer would then have to pay an additional fee each time a credit freeze was lifted or removed.

The Consumer Fraud Act prohibits credit reporting agencies from charging these fees to consumers who are at least 65 years of age, victims of identity theft, and active duty military service members. If enacted, HB 4095 would eliminate these fees for all consumers. On October 26, 2017, the Illinois House voted unanimously in favor of the bill. The bill is currently being considered by the Senate.

U.S. Senate

At the federal level, Senators Elizabeth Warren and Mark Warner recently introduced the Data Breach Prevention and Compensation Act.3 The bill creates the Office of Cybersecurity at the Federal Trade Commission, which will have the authority to supervise data security at credit reporting agencies, promulgate regulations for effective data security, and impose fines for data breaches.

The bill applies to any instance where at least one piece of personally identifying information maintained by a credit reporting agency is exposed to an unauthorized party. “Personally identifying information” includes, among other things, social security numbers, passport numbers, unique biometric data such as fingerprints, and financial account numbers.

The credit reporting agencies will be required to notify the Commission of a covered breach within 10 days of an occurrence. Once the Commission receives notice, it will have 30 days to commence a civil action in federal district court to recover a civil penalty. The Commission will have the authority to fine a credit reporting agency $100 for each consumer whose personally identifying information was compromised and an additional $50 for each additional piece of information that was stolen. That penalty can double, however, if the credit reporting agency fails to notify the Commission of the breach within the 10-day window.

To put this into context, Equifax would have been subject to a fine of at least $14.5 billion for the 2017 breach, assuming that each person had at least one piece of personally identifying information compromised.

Total fines would be capped based on the company’s gross revenue for the fiscal year preceding the occurrence of the breach. Here, that amount would have totaled approximately $1.57 billion based on Equifax’s 2016 earnings.4 Half of the assessed penalties would be divided among the consumers affected by the breach, with the remainder being allocated to cybersecurity research and inspections by the Commission.

The bill was introduced on January 10, 2018, and has been referred to the Committee on Banking, Housing, and Urban Affairs. 

__________

1. H.R. 4095, 100th Gen. Assem., Reg. Sess. (Ill. 2017).

2. 815 ILCS 505/2MM.

3. S. 2289, 115th Cong. (2018).

4. Equifax.com, Quarterly Results, https://investor.equifax.com/financial-information/quarterly-results/2016 (last visited January 7, 2018).