The mammoth Equifax data breach has generated widespread outrage at the company’s lax security and slow, confusing public response to a break-in that exposed 143 million Americans to the risk of identity theft — but it still may not be enough to jolt Congress into action.
Despite a spate of lawsuits, law enforcement investigations and upcoming congressional hearings on the breach, industry groups and consumer advocates expressed only limited hope about ending the Capitol’s decade-long logjam on legislation to protect Americans whose private information is falling into criminals’ hands at record rates. Anger but no action has been the typical response to past digital intrusions, including major breaches that affected tens of millions of customers at Target and Home Depot.
“Every time there’s been a major breach, I always have thought, ‘All right, this is it, this is the one that’s going to get everything to move,’” said Jason Kratovil, vice president of government affairs for payments at the Financial Services Roundtable, which supports data breach legislation. “And I haven’t been right to date.”
Advocates are holding out hope, however, saying the Equifax breach is different — among the worst of all time, exposing data that are considered the crown jewels for identity thieves. The credit rating agency has also earned universal derision for what one lawmaker called a “stunningly inadequate” response, which included an apparent attempt to limit customers’ rights to sue the company. And three of the firm’s top executives are facing scrutiny after they sold off large troves of Equifax stock just days after the breach was discovered — though they have denied knowledge of the break-in at that time.
“Someone needs to go to jail,” said North Dakota Sen. Heidi Heitkamp, a Democrat who sits on the Banking Committee, during a speech Tuesday. “It’s a problem when people can act with impunity with no consequences.”
The confluence of factors has businesses and digital privacy hawks agreeing that the incident should be the final straw for a Congress that has spent years mired in the details of legislation that would impose nationwide security regulations for companies and require them to swiftly notify customers about data breaches. That doesn’t mean it will be, however.
To date, Congress has left the issue to the states, 48 of which have their own varying standards.
“I think this could be a point of inflection,” said Paul Martino, vice president and senior policy counsel at the National Retail Federation, which has spent years lobbying for a data breach bill.
“This breach is not about credit cards,” said Pam Dixon, executive director of the consumer advocate World Privacy Forum, referring to past mega-breaches that grabbed Congress’ attention, like those at Target and Home Depot. “This breach is about the building blocks of your identity.”
Lawmakers have already pounced. Rep. Lou Correa (D-Calif.) on Tuesday announced the first post-Equifax data breach notification bill. And multiple committees in both chambers have either scheduled hearings or sent Equifax letters demanding more details about the incident, including a bipartisan missive Tuesday from 36 senators demanding the government investigate the Equifax stock sales. Even in the Trump White House, which has made eliminating regulations one of its major priorities, press secretary Sarah Huckabee Sanders said Monday that the prospect of new rules governing data breaches is “something we have to look into extensively.”
While the attention has proponents of data breach bills hopeful, some cautioned that they’ve seen this cycle before. Others noted that several bipartisan champions of such legislation in recent years have since left Capitol Hill — such as former Rep. Randy Neugebauer (R-Texas), who chaired the House Financial Services subcommittee on financial institutions and consumer credit; ex-Rep. John Carney, who is now the Democratic governor of Delaware; and former Sen. Mark Kirk (R-Ill.).
The partisan divides, jurisdictional squabbles and industry rifts that paralyzed previous bills have also not been eradicated.
The key, said Kratovil and others, will be whether Congress remains attentive after this round of hearings and letters has died out.
“Is there a call to action, or is it, ‘OK, we’ve had our hearings?’” Kratovil said.
In recent years, Congress has dragged company executives in for a Capitol Hill finger-wagging in the wake of what were, at the time, unprecedented data breaches.
Retail giant Target sent its CEO to Washington in 2014 to account for a holiday-season data breach that compromised 40 million Americans’ payment card data. Later that year, Home Depot drew the ire of lawmakers after an intrusion that exposed the credit and debit card details for 56 million Americans. A breach at JPMorgan Chase that fall capped off the year by laying bare data on 76 million American households, spurring even more Capitol Hill hearings.
By 2015, data breach legislation — years in the works — had moved to the top of Congress’ cyber agenda, with several bipartisan offerings and the backing of the Obama administration. But as before, lawmakers couldn’t agree on the details, while industry groups fought each other over the various proposals.
Democrats and Republicans are split over whether Congress should completely pre-empt state laws and what penalties, if any, they should stipulate for scofflaw companies. Lawmakers also can’t agree on what type of information a federal law should protect, what type of incident should trigger a notification and whether certain industries should get exemptions.
At various points, numerous committees have all tried to take the lead on solving the issue, creating even more confusion.
Additionally, retailers and banks have long clashed over how to craft a data breach bill. Banks want security rules modeled after existing regulations governing the financial sector, while retailers prefer a more flexible security standard that is based on the size and scope of the business.
Still, fresh calls for action have come from all sides amid the Equifax debacle.
Senate Banking Chairman Mike Crapo (R-Idaho) told POLITICO on Tuesday that the incident had made him interested in examining a data breach bill. “The issue needs to be looked at,” he said.
And the Equifax outcry has revived bipartisan chatter on the topic.
“There’s been a renewed effort, certainly at the staff level,” Sen. Tom Carper (D-Del.), who offered a data breach bill last year with Sen. Roy Blunt (R-Mo.), told POLITICO on Tuesday. “I expect to talk up the senators this week to say, ‘Let’s get our heads back in this game.’”
Blunt added that he and Carper “have been trying to get that done for an embarrassingly long amount of time now.”
The pair is part of a broader Senate working group that has been discussing how to produce a bill that might actually move.
The group includes powerful Republicans like Commerce Chairman John Thune of South Dakota and Judiciary Chairman Chuck Grassley of Iowa, as well as top Democrats like California Sen. Dianne Feinstein, the Judiciary panel’s ranking member, and Intelligence ranking member Mark Warner of Virginia.
“The Equifax breach … in the end could cause great harm to our economic security,” Warner told POLITICO.
Warner is not being hyperbolic, said Dixon, the data privacy advocate. The breach may have included nearly every American adult’s date of birth and Social Security number — foundational, largely unchangeable identifiers — meaning the country faces a decades-long battle to combat identity theft and fraud, she said.
Armed with such data, crooks can get medical goods in someone else’s name, take over a bank account or pick and choose details from various profiles to create a “synthetic identity,” which damages each person’s credit rating.
Dixon called these “the most pernicious forms of identity theft,” warning, “They’re not going to go away.”
If Congress can’t move on strict data breach legislation, Dixon said, lawmakers should at least force credit rating agencies like Equifax to offer complimentary, lifelong identity theft monitoring.
“This breach is for our adult lifetime,” she said.
Powered by WPeMatico