After Equifax breach, anger but no action in Congress

The massive Equifax data breach, which compromised the identities of more than 145 million Americans, prompted a telling response from Congress: It did nothing.

Some industry leaders and lawmakers thought September’s revelation of the massive intrusion — which took place months after the credit reporting agency failed to act on a warning from the Homeland Security Department — might be the long-envisioned incident that prompted Congress to finally fix the country’s confusing and ineffectual data security laws.

Instead, the aftermath of the breach played out like a familiar script: white-hot, bipartisan outrage, followed by hearings and a flurry of proposals that went nowhere. As is often the case, Congress gradually shifted to other priorities — this time the most sweeping tax code overhaul in a generation, and another mad scramble to fund the federal government.

“It’s very frustrating,” said Rep. Jan Schakowsky of Illinois, the top Democrat on the House Energy and Commerce consumer protection subcommittee, who introduced legislation in the wake of the Equifax incident.

“Every time another shoe falls, I think, ‘Ah, this is it. This will get us galvanized and pull together and march in the same direction.’ Hasn’t happened yet,” said Sen. Tom Carper (D-Del.), a member of a broader Senate working group that has tinkered for years to come up with data breach legislation.

Morning Cybersecurity A daily briefing on politics and cybersecurity — weekday mornings, in your inbox. Email Sign Up By signing up you agree to receive email newsletters or alerts from POLITICO. You can unsubscribe at any time.

Every time lawmakers punt on the issue, critics say, they are leaving Americans more exposed to ruinous identity theft scams — and allowing companies to evade responsibility. With no sign that mammoth data breaches like the one at Equifax are abating, the situation is only growing more dire, according to cyberspecialists.

In the meantime, companies and consumers are left to navigate 48 different state-level standards that govern how companies must protect sensitive data and respond to data breaches. Companies say the varying rules are costly and time-consuming, while cyberspecialists and privacy hawks argue they do little to keep Americans’ data safe.

But while industry groups, security experts, privacy advocates and lawmakers of both parties agree that Congress must do something to unify these laws, no one has been able to agree on what that “something” should be.

On Capitol Hill, lawmakers have struggled to navigate an issue that touches several committees, while tussling over how strongly a federal law should preempt state regulations — Democrats worry a weak federal standard might supplant robust state laws, but Republicans don’t want to give too much power to federal regulators.

In the private sector, industries like banking — which already have strict, sector-specific data security rules on the books — have pushed to apply their regulations to broad swaths of the economy. But other industries, such as retailers, believe such a move would impose unnecessary standards on smaller businesses that don’t collect as much sensitive data.

Lawmakers told POLITICO that similar forces were at play post-Equifax.

Carper’s working group is effectively “on hold” for now, he told POLITICO, falling victim to jurisdictional issues. The group features Republican leaders like Senate Commerce Chairman John Thune of South Dakota and Judiciary Chairman Chuck Grassley of Iowa, as well as senior Democrats like Intelligence ranking member Mark Warner of Virginia and Dianne Feinstein of California, ranking member on the the Judiciary panel.

And long-running industry battles came roaring back, Warner said. While lawmakers mostly got the retail and banking industries on board, telecommunications firms — which are already subject to industry-specific privacy rules — became a sticking point.

“I think one of the problems was telecom,” said Warner, himself a former telecom executive.

“All industries have to be covered” by federal data breach laws, Warner added. “But then, how they’re covered could be tailored. … What you can’t do is start coming along and carving out. I think that still remains to be an issue.”

The lack of legislative response has industry groups and lawmakers, including Thune, uttering a familiar refrain: Wait until next year.

In a statement, Thune said that as much as he favors “an effective and coordinated approach on data security issues across industries, the reality is that our legislative progress has been much more incremental this year.

“There hasn’t been — and still isn’t — consensus among major stakeholders on data breach and data security legislation,” he added. “There isn’t a panacea for cybersecurity and the absolute worst thing we could do is pass an ineffective mandate that leads Americans to take our guard down.”

Those working on the issue also expressed cautious optimism about 2018, despite the fact that Congress has been bullish about “next year” for the last half-decade, to no avail.

“I think there is a political dynamic and clearly a policy interest in doing something to stop these breaches, by deterring them and helping people who are harmed by them,” said Sen. Richard Blumenthal (D-Conn.), who is backing legislation that would let prosecutors potentially seek jail time for companies that cover up data breaches. Ride-hailing giant Uber was recently caught mounting such a cover-up, when it disclosed it had paid $100,000 to keep hackers silent about a 2016 digital theft that compromised 57 million customers’ information.

“Certainly, every member here has had constituents that have been victims of these breaches, be it Target or Equifax or whoever, and you would think that they would be interested in moving ahead,” added Schakowsky, whose bill would set federal digital security benchmarks and require prompt notification and ongoing assistance to breach victims.

House Energy and Commerce Chairman Greg Walden told POLITICO he was working on “a more consumer-first policy” that he plans to unveil after additional hearings in 2018.

The measure would create penalties in a way that “actually inures to the benefit of the consumer,” instead of “just another penalty to the government [where] the government gets paid,” said the Oregon Republican.

Industry representatives who track the negotiations said some progress is occurring on Capitol Hill, despite the lack of concrete steps in the past four months.

Lawmakers are trying to produce a bill that can actually move, said Jason Kratovil, vice president of government affairs for payments at the Financial Services Roundtable, which has backed proposals from a House Financial Services subpanel in the past.

“I think there’s a lot of energy being spent trying to get this one right and work toward a legislative outcome that isn’t just a product of one committee and one committee’s jurisdiction, but instead is something that is going to have a lot of interest and a lot of support from many different stakeholders,” he told POLITICO.

A retail industry representative told POLITICO that 2018 might be different because industries are increasingly not using data security as a proxy battle for other policy fights.

“In this case, we think we can find some common ground,” said the individual, who requested anonymity to discuss behind-the-scenes negotiations. “I don’t think that was there before.”

The overriding factor pressuring lawmakers and industry groups to take action will be the gobsmacking way companies have mishandled their data breaches — a trend that shows no signs of ending in 2018.

But if the Equifax breach — which featured basic security failures, allegations of insider trading and possible attempts to prevent consumers from suing the company — didn’t do the trick, some aren’t sure what will.

“When you’ve got 145 million people, you would think, but …” Schakowsky said, trailing off and throwing up her hands.