It's been 125 days since the Equifax mega breach was announced.
After angry congressional hearings, a social media firestorm, and calls to ditch the social security number as an authenticator, not much happened.
However, Congress may finally be ready to respond with what the industry had feared: legislation that increases both regulation and fines.
Two U.S. Senators introduced a bill specifically targeted at credit report agencies, which are referred to as "CRAs" for short.
Senator Elizabeth Warren explained why the industry deserves to be singled out: "The financial incentives here are all out of whack—Equifax allowed personal data on more than half the adults in the country to get stolen, and its legal liability is so limited that it may end up making money off the breach," she says.
The Data Breach Prevention and Compensation Act sets out to change that by doing the following:
Under this legislation, Equifax would have had to pay at least a $1.5 billion penalty. And the FTC would have the leverage necessary to increase penalties in cases of "woefully inadequate cybersecurity" or if a CRA fails to timely notify the FTC of a breach.
And as long as Congress is talking about timely breach response, it may want to look at the FDIC, which has an average breach notification time of 288 days.
But for now, it's all about Equifax, and because of the fallout, the company's competitors as well.
Editors note: Equifax reported 2017 Q3 Revenue up 4% year-over-year, with slightly less than $90 million of reported costs for breach response in Q3.