With Congress still wrestling over health care and gearing up for a complicated fight on tax reform, the time hardly seems ripe for sweeping cybersecurity legislation. But the Equifax hack—perhaps the most egregious breach in the history of U.S. data security, with the private financial data of as many as 143 million Americans affected—could motivate Capitol Hill to pile more bills onto an already packed plate.
“If this doesn’t move the needle, it’s kind of hard to imagine what would,” said Steven Weber, the faculty director for the University of California (Berkeley) Center for Long-Term Cybersecurity. The House and Senate are both set to hold hearings early next month on the credit-reporting service’s data-security practices, and experts believe the hack could spur federal lawmakers into bold action.
But a post-Equifax cybersecurity push would be a convoluted process. Lawmakers will have to decide whether they should work to change cybersecurity practices more broadly or focus on specific reforms to the credit-reporting industry. They’ll grapple with topics as varied as the complex liability regime governing data security in the United States, cybersecurity-information-sharing arrangements between private industry and law enforcement, and the wisdom of using Social Security numbers as universal identifiers. And they’ll do so against jurisdictional headwinds that make passing cybersecurity legislation an uphill battle.
“We’re going to have a public inquisition of Equifax executives before committees; I’m sure there’s going to be a lot of table-pounding,” said Edward McAndrew, a former federal cybercrimes prosecutor and now a lawyer at Ballard Spahr. “And it’ll be very interesting to see if this Congress, and this administration, can actually enact any sort of legislation.”
Equifax announced the massive data breach on Sept. 8, revealing that up to 143 million Americans had their names, Social Security and driver’s license numbers, and other personal financial information stolen by hackers. The firm was later accused of failing to patch vulnerable data-security systems over two months before the hack began, and of waiting too long from the time it first noticed the breach to when it notified law enforcement and the public. Equifax is now facing a slew of class-action lawsuits, investigations by the FBI and the Federal Trade Commission, and legal action from the state of Massachusetts.
But most cybersecurity experts say Congress also has a role to play in the wake of the hack. Low-hanging fruit includes a provision that would stop credit-reporting agencies from sending unsolicited consumer financial information to third parties (including would-be identity thieves). Sen. Elizabeth Warren introduced such a bill earlier this month, and experts say it’s a no-brainer to allow customers to “freeze” access to their credit files without incurring fees. “I think Congress should say, ‘Your credit reports are yours and [companies] can’t show them to anybody,’” said Herbert Lin, the senior cybersecurity researcher at Stanford University’s Center for International Security and Cooperation.
Congress could also work to bring cybersecurity standards at credit-reporting firms in line with standards imposed on the broader financial industry. While most of the U.S. economy remains outside federal cybersecurity rules, there are at least two federal statutes mandating a minimum level of data protection at Equifax and other credit-reporting companies. The problem, several experts say, is that those standards are lower than the ones imposed on banks. That’s backwards, since each of the three major credit-reporting firms possess the personal data of a much larger cross-section of Americans than any one bank does. “One approach, which seems—on the surface anyway—reasonable, is to hold them to the same kinds of cybersecurity standards that New York state is imposing on the banks, and sort of treat them like a financial institution,” Lin said.
Broader cybersecurity concerns could also come up in Congress. It’s notoriously difficult to sue U.S. firms for failing to secure personal data, because no federal standard exists through which consumers can prove harm and hold companies accountable for slip-ups like failing to patch vital systems. Tightening cybersecurity-liability standards could be on the table, if for no other reason than to push companies like Equifax to take more responsibility for data security rather than billing the damages to cyber-insurance policies. “Why should we be allowing them to hide behind an insurance policy because of their own negligence and complacency?” said Richard Forno, assistant director of the University of Maryland, Baltimore County’s Center for Cybersecurity.
Experts are split on other possible remedies, including the creation of a mandatory reporting system in which companies are required to inform federal law enforcement when they suspect a breach. While McAndrew said immediate notification is not feasible, given the complexity of determining whether a hack took place, an “early-warning system” could be implemented in which suspicious activity is forwarded to law enforcement under the threat of federal penalties. Lin, however, worried that would cause a flood of reports detailing every possible cyber-intrusion, which he believes would defeat the purpose.
Others have also floated the idea of Congress banning the use of Social Security numbers as universal identifiers, given how prevalent their theft has become in cyberspace. But many in the security community say it would be politically impossible for the federal government to issue new national identification numbers, and congressional efforts would be better focused elsewhere. “It’s so late that getting into a fight about it would almost be a distraction,” said Weber. “It will divert energy away from where something more important could happen.”
Few of these options are easy fixes, and most require the creation of complex frameworks to determine thresholds for minimum security and companies’ liability for breaches. Because of overlapping authorities on cybersecurity, those frameworks may be particularly difficult to navigate on Capitol Hill. “On an issue like this, there’s six or seven committees that can claim jurisdiction,” said Nathan Taylor, a cybersecurity lawyer at Morrison & Foerster. “So if you have to get through a number of different committees, negotiations with different committee staff, it doesn’t create a great recipe for success.”
What We're Following See More »
"The House Energy and Commerce Committee will summon Facebook CEO Mark Zuckerberg to testify, following recent revelations that Trump-linked Cambridge Analytica improperly obtained information on some 50 million Facebook users. 'We believe, as CEO of Facebook, he is the right witness to provide answers to the American people,'" said Reps. Greg Walden and Frank Pallone. On Wednesday, Zuckerberg told CNN that he was open to testifying. "The House panel said it plans to send a formal letter to Facebook in the days ahead."
"The president’s lead lawyer for the special counsel investigation, John Dowd, resigned on Thursday." Dowd, who took over Trump's legal defense last summer, "ultimately concluded that Mr. Trump was increasingly ignoring his advice." Trump has expressed willingness to "sit for an interview with the special counsel’s office, even though Mr. Dowd believed it was a bad idea."