Equifax breach drives legislative push on data privacy

Shutterstock image (by Robert Adrian Hillman): Abstract design for broken code. 

Rep. David Cicilline (D-R.I.) is the latest member of Congress to offer a legislative answer to the growing problem of consumer data breaches. His Consumer Privacy Protection Act, introduced Oct. 19, orders companies to notify consumers if sensitive information has been compromised in a data breach. The bill widens the scope of sensitive information, including not just Social Security and credit card numbers, but also digital photographs and geographical and biometric data.

Like Rep. Jim Langevin's (D-R.I.) September legislation, Cicilline's bill holds companies with access to sensitive data on more than 10,000 customers accountable, giving them 30 days to disclose data breaches involving personal information. If a breach that costs a customer $1,000 or more in "economic harm" is found to have been concealed, the responsible company can expect legal repercussions in the form of a fine or imprisonment.

Currently, 48 states have data breach laws in place. Provisions of Cicilline's bill would supersede any state law deemed "less stringent." The legislation has seven cosponsors, all Democrats. The original version was introduced in 2015.

Since the disclosure of the Equifax breach in September, there has been increased pressure on Capitol Hill to update the laws around consumer data privacy. Many officials agree that there is a need for new consumer privacy laws, but some wonder whether federal notification and national standards alone can fully help consumers mitigate the effects of cyber theft.

At an Oct. 17 Senate Banking Committee hearing, Chris Jaikaran, cybersecurity policy analyst at the Congressional Research Service, said that while a federal notification law would "provide a level of certainty for both businesses and consumers," follow-up remains critical.

"What will consumers be expected to do with that information? Do they just get a letter in the mail saying that their data was compromised and they're on their own? Or is there some recourse that the business or the corporation [must] provide to the consumer?" Jaikaran asked.

Sen. Mike Rounds (R-S.D.) stated while he agreed with the idea of establishing a security standard and "continued surveillance" of credit reporting agencies, more must be done to combat perpetrators of these attacks.

"Until we get down to the point where there are actually consequences for the bad guys involved, we're not going to make the major dent that we have to in terms of cyber theft," Rounds said. "We're focusing on the people who are trying to provide services. We're not focusing on going after the guys who are actually causing the problems for everybody else."

About the Author

Ben Berliner is a former editorial fellow at FCW. He is a 2017 graduate of Kenyon College, and has interned at the Center for Responsive Politics and at Sunlight Foundation.

He can be contacted at [email protected].

Click here for previous articles by Berliner.


  • Defense
    Soldiers from the Old Guard test the second iteration of the Integrated Visual Augmentation System (IVAS) capability set during an exercise at Fort Belvoir, VA in Fall 2019. Photo by Courtney Bacon

    IVAS and the future of defense acquisition

    The Army’s Integrated Visual Augmentation System has been in the works for years, but the potentially multibillion deal could mark a paradigm shift in how the Defense Department buys and leverages technology.

  • Cybersecurity
    Deputy Secretary of Homeland Security Alejandro Mayorkas  (U.S. Coast Guard photo by Petty Officer 3rd Class Lora Ratliff)

    Mayorkas announces cyber 'sprints' on ransomware, ICS, workforce

    The Homeland Security secretary announced a series of focused efforts to address issues around ransomware, critical infrastructure and the agency's workforce that will all be launched in the coming weeks.

Stay Connected