Democratic Sen. Elizabeth Warren of Massachusetts has earned a reputation as a fierce consumer advocate. She’s gone after big banks and financial institutions, but now she’s setting her sights on credit-rating agencies. Specifically Equifax, which endured a massive security breach last year. Over 100 million consumers had their personal information, like Social Security numbers and addresses, compromised in the hack. Now Warren and Sen. Mark Warner, a Democrat from Virginia, are introducing legislation that would levy harsh penalties for similar types of security breaches at Equifax and other rating agencies. Last year, Warren sponsored a bill that would allow consumers to freeze their credit any time for free, a service that rating agencies, including Equifax, have traditionally charged for. (Equifax waived these fees for a limited time after the Sept. 2017 breach.) Warren spoke with Marketplace Tech host Molly Wood about her office’s recent report on the Equifax hack and her proposals to combat the cyber threat to consumers. The following is an edited transcript of their conversation.

Molly Wood: So your office is investigating the Equifax breach and issued this report. In a few words, what did you find?

Sen. Elizabeth Warren: Well, we did a five-month-long investigation and found that Equifax had failed to disclose to Congress, and to the American people, the extent of this massive breach. We found out that Equifax failed to follow its own internal requirements for notifying consumers following the breach of sensitive data. We found that Equifax, fully knowing about their security failures, took advantage of a loophole to secure a contract from the IRS and cost taxpayers a “zillion” dollars. And we found that Equifax’s entire cybersecurity apparatus was inadequate to protect American consumers.

Wood: And senator, this is a lot of very detailed information in your report. Can you tell us, for the reporters in the room, how did your staff go about gathering this information?

Warren: Well, mostly we went out and talked to everybody we could. I questioned Equifax executives at Senate hearings. We consulted with outside experts. We sent letters with dozens of questions directly to Equifax, to federal regulators, to other credit-reporting agencies. We let the experts inform us about the kind of data that are collected and how they’re collected. So we put it together from a lot of different places and found out that Equifax, quite simply, had not told the whole story to the American people. What they did was worse, a whole lot worse, than they originally admitted.

Wood: You’ve introduced two bills in response the Equifax hack, including one that would give the FTC, the Federal Trade Commission, authority to penalize credit agencies that don’t protect data adequately. Can you tell us about that?

Warren: Sure. So just to get it on the table, the first one is the ability of consumers just to be able to “turn off” Equifax, so that if they don’t want Equifax selling their information so that somebody can open a checking account or a credit card in their name, consumers ought to be able to do that. Or if consumers don’t want Equifax to sell their data to, you know, some cruise company that’s looking for prospects, the consumer ought to be able to do that. After all, the consumer didn’t agree to do business with Equifax, so we think the consumer ought to have a lot more control over their data.

But the second part is this fundamental question: How do you make sure going forward that Equifax and the other credit-reporting agencies are going to take the right level of security? Clearly they failed badly here. And the problem is there’s no real penalty for them. You know, it’s not like consumers can say, “Well, that’s it. I’m never going to do business with Equifax again.” That’s not how it works with credit-reporting agencies. In fact, Equifax may actually make money off this breach because it sells all these credit-protection devices, and even consumers who say, “Hey, I’m never doing business with Equifax again,” well, good for you, but you go buy credit protection from someone else, they very well may be using Equifax to do the back office part. So Equifax is still making money off their own breach.

So what Sen. Warner and I proposed is what’s called “strict liability.” It says if for any reason your data gets stolen, it’s 100 bucks for the theft of the first piece of data, and 50 bucks for the theft of every following piece of data for every consumer whose data is stolen up to potentially half the value of the company. It’s hard. It’s flat. It’s easy to read. And the point is to get the credit-rating agencies to take the right level of security. They take the right level of security, they invest enough in security, then the American people will be protected. They don’t invest enough in security and shoot, the fact that 145 million Americans have already lost data? We can count on it happening again and again and again.

Wood: Well, it feels like a little bit of a double bind for consumers because, as you note and your report notes, these agencies have incredible power in our lives but potentially even less oversight than traditional financial institutions. And there is no appetite for regulation right now. How likely is your legislation, or any legislation, to pass that really addresses these agencies in particular.

Warren: Look, we’ve got a recurring problem in Washington. And that is that big corporations that can spend a lot of money lobbying and a lot of money making campaign contributions and a lot of money hiring PR firms and bought-and-paid-for experts can get what they want much of the time here in Washington. And in the case of these big financial outfits, it’s to protect themselves from regulation. Don’t get any laws passed, don’t make any changes. But you know, I get that they’ve got a lot of money and a lot of concentrated power, but there’s a whole lot more of us than there is of them. There are 145 million adults in America whose personal financial information has been stolen. And who knows how it’s being used now in the depths of the internet? Who’s buying it? Not only here in America for financial reasons, but all around the world. What foreign countries are buying it in order to do what kind of injury to people individually and to this country? So my view on this is we get enough people across the country speaking up about this, enough people demanding that their senators and their representatives put some kind of checks in place over Equifax and the other credit-reporting companies. I actually think we can make a difference here. You know, I really like to underline, this isn’t partisan. Republicans and Democrats had their credit information stolen. Social Security numbers are now floating around out there for both Republicans and Democrats. And it is now up to the federal government to put some rules in place so this doesn’t happen again.

Wood: Do you get the sense from your colleagues that they support this legislation or legislation like it?

Warren: Let me put it this way. Pretty much everybody says, “Oh yeah, we need to do something.” It’s just how do you get from the general statement of something down to here’s the specific thing we could do. So I’m talking it up with everybody I can in the Senate. And that means every part of this, it means talking with Republicans, with Democrats, everybody, trying to say, “Come on, join us on this, let’s push through a bipartisan bill to protect American consumers to make sure that the data that they never even authorized to be collected, to make sure that those data are safe and that people don’t end up with their data floating around in the hands of thieves and scammers.” You know, that’s what really gets me about the Equifax breach here. It’s not just that people pay the price immediately after it happened. It’s that with credit card numbers gone, names gone, addresses gone and phone numbers gone, all of this information that has been compromised, people can be paying a price for this for years to come. It’s up to the federal government to represent the interest, not of an industry, of a corporation, it’s to represent the interest of the American people. And in this case, that means passing some sensible rules to make sure that consumers have more control over their own data and that the companies that collect these data are forced to take the right kinds of security measures to ensure that the data are held safe.

Wood: And given that, do you have any sense of when your bills might move forward?

Warren: I’m pushing. I’m pushing right now. You know, there’s talk of a banking bill that might go forward in a couple of weeks. Where I’m pushing there is to say, “Are you kidding me? We’re really talking about deregulating banks instead of getting more rules in place to protect consumers from Equifax and companies that are careless with their data?” So we’re going to be talking about financial services here in the Senate starting probably next week. And I think that’s a good opportunity to push forward on Equifax and the credit-reporting companies to say, “Hey, it’s time to put some rules in place to protect the American people.” Congress is not here to work for the industry. Congress is here to work for the American people.

Wood: Let’s say none of these bills move forward. Certainly a lot of states are going after Equifax. But the [Consumer Financial Protection Bureau] is reportedly backing away from investigating the breach. FTC investigations can take a long time. What happens to them in the meantime?

Warren: Yeah, that has me really worried. You know, with Mick Mulvaney now trying to hollow out the Consumer Financial Protection Bureau and trying to leash up the consumer watchdog, we sure can’t rely on him to do anything about Equifax. Some of the state attorneys general are jumping in, and, you know, God bless them. I’m really glad they’re in this fight, but this is a place where the federal government needs to act. We have oversight responsibility here, and we need to act on that responsibility.

Wood: The SEC actually just issued updated guidance around public companies and how they have to notify investors and customers about cybersecurity incidents and maybe to crack down on insider trading that’s related to those breaches. Is that a sign, do you think, that interest in this issue might be increasing in Washington?

Warren: I think it is a sign that there is more interest in the vulnerability that Americans have to companies that collect a lot of data and then don’t take care of it. But, no place is that clearer than in credit reporting. I mean, let’s face it, that’s all these guys do. It’s not like they also make steel or produce cars or put on TV shows. All they do is collect data and package that data up and then sell it, and if they won’t take basic care with that data, then they’re making a profit by putting everybody else in America at risk. And that has to stop.

Wood: I have to ask you, I know we have just a few minutes left, you have raised a lot of money. You’re running for re-election in the Senate now. But I think everyone wants to know in 2020 are you going to run for president?

Warren: I am not running for president. I am up in 2018 in Massachusetts. I take nothing for granted. I am running hard in my Senate race. But I also want to be clear. We’ve got a lot of fights in front of us right now. We can’t just wait for every four years let’s all get focused on what happens in a presidential. Look at Equifax. Look at the 145 million Americans whose basic data, whose Social Security numbers and phone numbers and addresses and names have all been lost and are out there being traded by criminals, thieves and scammers. We’ve got to stay in these fights every single day, and that’s what I’m doing.

Subscribe to the Marketplace Tech podcast