Equifax breach drives legislative push on data privacy

Shutterstock image (by Robert Adrian Hillman): Abstract design for broken code. 

Rep. David Cicilline (D-R.I.) is the latest member of Congress to offer a legislative answer to the growing problem of consumer data breaches. His Consumer Privacy Protection Act, introduced Oct. 19, orders companies to notify consumers if sensitive information has been compromised in a data breach. The bill widens the scope of sensitive information, including not just Social Security and credit card numbers, but also digital photographs and geographical and biometric data.

Like Rep. Jim Langevin's (D-R.I.) September legislation, Cicilline's bill holds companies with access to sensitive data on more than 10,000 customers accountable, giving them 30 days to disclose data breaches involving personal information. If a breach that costs a customer $1,000 or more in "economic harm" is found to have been concealed, the responsible company can expect legal repercussions in the form of a fine or imprisonment.

Currently, 48 states have data breach laws in place. Provisions of Cicilline's bill would supersede any state law deemed "less stringent." The legislation has seven cosponsors, all Democrats. The original version was introduced in 2015.

Since the disclosure of the Equifax breach in September, there has been increased pressure on Capitol Hill to update the laws around consumer data privacy. Many officials agree that there is a need for new consumer privacy laws, but some wonder whether federal notification and national standards alone can fully help consumers mitigate the effects of cyber theft.

At an Oct. 17 Senate Banking Committee hearing, Chris Jaikaran, cybersecurity policy analyst at the Congressional Research Service, said that while a federal notification law would "provide a level of certainty for both businesses and consumers," follow-up remains critical.

"What will consumers be expected to do with that information? Do they just get a letter in the mail saying that their data was compromised and they're on their own? Or is there some recourse that the business or the corporation [must] provide to the consumer?" Jaikaran asked.

Sen. Mike Rounds (R-S.D.) stated while he agreed with the idea of establishing a security standard and "continued surveillance" of credit reporting agencies, more must be done to combat perpetrators of these attacks.

"Until we get down to the point where there are actually consequences for the bad guys involved, we're not going to make the major dent that we have to in terms of cyber theft," Rounds said. "We're focusing on the people who are trying to provide services. We're not focusing on going after the guys who are actually causing the problems for everybody else."

About the Author

Ben Berliner is an editorial fellow at FCW. He is a 2017 graduate of Kenyon College, and has interned at the Center for Responsive Politics and at Sunlight Foundation.

He can be contacted at

Click here for previous articles by Berliner.


  • Contracting
    8 prototypes of the border walls as tweeted by CBP San Diego

    DHS contractors face protests – on the streets

    Tech companies are facing protests internally from workers and externally from activists about doing for government amid controversial policies like "zero tolerance" for illegal immigration.

  • Workforce
    By Mark Van Scyoc Royalty-free stock photo ID: 285175268

    At OPM, Weichert pushes direct hire, pay agent changes

    Margaret Weichert, now acting director of the Office of Personnel Management, is clearing agencies to make direct hires in IT, cyber and other tech fields and is changing pay for specialized occupations.

  • Cloud
    Shutterstock ID ID: 222190471 By wk1003mike

    IBM protests JEDI cloud deal

    As the deadline to submit bids on the Pentagon's $10 billion, 10-year warfighter cloud deal draws near, IBM announced a legal protest.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.