Sending Office: Committee on Oversight and Reform
Request for Cosponsor(s)
We invite you to cosponsor H.R. 2545, the Data Breach Prevention and Compensation Act of 2019.
This bill was developed after a bipartisan investigation conducted over the past several years by the Committee
on Oversight and Reform into the Equifax data breach—one of the largest and most far-reaching cybersecurity failures in American history that negatively affected nearly 148 million people. Equifax failed to respond effectively to consumer complaints or implement
adequate changes to prevent additional security lapses.
The legislation would give the Federal Trade Commission (FTC) more direct supervisory authority over data security at consumer reporting agencies (CRAs), strengthen the existing penalty regime, and incentivize the largest agencies to protect consumer data
and compensate consumers for stolen data. The bill would:
• Establish an Office of Cybersecurity at the FTC tasked with annual inspections and supervision of cybersecurity at CRAs.
The bill would establish a Director and Office of Cybersecurity to conduct cybersecurity inspections at CRAs and authorize the FTC to promulgate new regulations outlining effective data security standards for CRAs. The bill also would direct the FTC
to report to Congress on areas where it needs to enhance the agency’s authorities to fully address cyber-theft.
• Impose strict liability penalties for breaches involving consumer data. The bill would impose a base penalty of $100 for each consumer who has one piece of personal identifying information (PII) compromised
and another $50 for each additional piece of PII compromised. The penalty would be capped at 50% of the CRA’s gross revenue from the prior year. Under this approach, Equifax would have paid at least a $1.5 billion penalty for its failure to protect Americans’
• Ensure a robust recovery for affected consumers.
The bill would require the FTC to use 50% of the revenue generated from penalties to compensate consumers.
• Increase penalties in cases of woefully inadequate cybersecurity or when a CRA fails to notify FTC of a breach. The bill would double the automatic per-consumer penalties and increase the maximum penalty to
75% of the CRA’s gross revenue in cases when the offending CRA fails to comply with the FTC’s data security standards or fails to timely notify the agency of a breach.
• Enhance FTC enforcement. The bill would grant the FTC civil penalty authority under the Gramm-Leach-Bliley Act, as recommended by a Government Accountability Office
prepared for Senator Warren and Chairman Cummings.
If you have any questions or would like to sign on as a cosponsor of the bill, please contact Yvette Badu-Nimako at
ELIJAH E. CUMMINGS RAJA KRISHNAMOORTHI
Committee on Oversight and Reform Subcommittee on Economic and Consumer Policy
e-Dear Colleague version 2.0