With Congress still wrestling over health care and gearing up for a complicated fight on tax reform, the time hardly seems ripe for sweeping cybersecurity legislation. But the Equifax hack—perhaps the most egregious breach in the history of U.S. data security, with the private financial data of as many as 143 million Americans affected—could motivate Capitol Hill to pile more bills onto an already packed plate.
“If this doesn’t move the needle, it’s kind of hard to imagine what would,” said Steven Weber, the faculty director for the UC Berkeley Center for Long-Term Cybersecurity. The House and Senate are both set to hold hearings early next month on the credit-reporting service’s data-security practices, and experts believe the hack could spur federal lawmakers into bold action.
But a post-Equifax cybersecurity push would be a convoluted process. Lawmakers will have to decide whether they should work to change cybersecurity practices more broadly or focus on specific reforms to the credit-reporting industry. They’ll grapple with topics as varied as the complex liability regime governing data security in the United States, cybersecurity-information-sharing arrangements between private industry and law enforcement, and the wisdom of using Social Security numbers as universal identifiers. And they’ll do so against jurisdictional headwinds that make passing cybersecurity legislation an uphill battle.
“We’re going to have a public inquisition of Equifax executives before committees; I’m sure there’s going to be a lot of table-pounding,” said Edward McAndrew, a former federal cybercrimes prosecutor and now a lawyer at Ballard Spahr. “And it’ll be very interesting to see if this Congress, and this administration, can actually enact any sort of legislation.”
Equifax announced the massive data breach on Sept. 8, revealing that up to 143 million Americans had their names, Social Security and driver’s license numbers, and other personal financial information stolen by hackers. The firm was later accused of failing to patch vulnerable data-security systems over two months before the hack began, and of waiting too long from the time it first noticed the breach to when it notified law enforcement and the public. Equifax is now facing a slew of class-action lawsuits, investigations by the FBI and the Federal Trade Commission, and legal action from the state of Massachusetts.
But most cybersecurity experts say Congress also has a role to play in the wake of the hack. Low-hanging fruit includes a provision that would stop credit-reporting agencies from sending unsolicited consumer financial information to third parties (including would-be identity thieves). Sen. Elizabeth Warren introduced such a bill earlier this month, and experts say it’s a no-brainer to allow customers to “freeze” access to their credit files without incurring fees. “I think Congress should say, ‘Your credit reports are yours and [companies] can’t show them to anybody,’” said Herbert Lin, the senior cybersecurity researcher at Stanford University’s Center for International Security and Cooperation.
Congress could also work to bring cybersecurity standards at credit-reporting firms in line with standards imposed on the broader financial industry. While most of the U.S. economy remains outside federal cybersecurity rules, there are at least two federal statutes mandating a minimum level of data protection at Equifax and other credit-reporting companies. The problem, several experts say, is that those standards are lower than the ones imposed on banks. That’s backwards, since each of the three major credit-reporting firms possess the personal data of a much larger cross-section of Americans than any one bank does. “One approach, which seems—on the surface anyway—reasonable, is to hold them to the same kinds of cybersecurity standards that New York state is imposing on the banks, and sort of treat them like a financial institution,” Lin said.
Broader cybersecurity concerns could also come up in Congress. It’s notoriously difficult to sue U.S. firms for failing to secure personal data, because no federal standard exists through which consumers can prove harm and hold companies accountable for slip-ups like failing to patch vital systems. Tightening cybersecurity-liability standards could be on the table, if for no other reason than to push companies like Equifax to take more responsibility for data security rather than billing the damages to cyber-insurance policies. “Why should we be allowing them to hide behind an insurance policy because of their own negligence and complacency?” said Richard Forno, assistant director of the University of Maryland, Baltimore County’s Center for Cybersecurity.
Experts are split on other possible remedies, including the creation of a mandatory reporting system in which companies are required to inform federal law enforcement when they suspect a breach. While McAndrew said immediate notification is not feasible, given the complexity of determining whether a hack took place, an “early-warning system” could be implemented in which suspicious activity is forwarded to law enforcement under the threat of federal penalties. Lin, however, worried that would cause a flood of reports detailing every possible cyber-intrusion, which he believes would defeat the purpose.
Others have also floated the idea of Congress banning the use of Social Security numbers as universal identifiers, given how prevalent their theft has become in cyberspace. But many in the security community say it would be politically impossible for the federal government to issue new national identification numbers, and congressional efforts would be better focused elsewhere. “It’s so late that getting into a fight about it would almost be a distraction,” said Weber. “It will divert energy away from where something more important could happen.”
Few of these options are easy fixes, and most require the creation of complex frameworks to determine thresholds for minimum security and companies’ liability for breaches. Because of overlapping authorities on cybersecurity, those frameworks may be particularly difficult to navigate on Capitol Hill. “On an issue like this, there’s six or seven committees that can claim jurisdiction,” said Nathan Taylor, a cybersecurity lawyer at Morrison & Foerster. “So if you have to get through a number of different committees, negotiations with different committee staff, it doesn’t create a great recipe for success.”
What We're Following See More »
After initially promising it in August, "President Trump said Monday that he will declare a national emergency next week to address the opioid epidemic." When asked, he also "declined to express confidence in Rep. Tom Marino (R-Pa.), his nominee for drug czar, in the wake of revelations that the lawmaker helped steer legislation making it harder to act against giant drug companies."
In the wake of Sunday's blockbuster 60 Minutes/Washington Post report on opioid regulation and enforcement, Sen. Claire McCaskill (D-MO) has introduced legislation that "would repeal a 2016 law that hampered the Drug Enforcement Administration’s ability to regulate opioid distributors it suspects of misconduct." In a statement, McCaskill said: “Media reports indicate that this law has significantly affected the government’s ability to crack down on opioid distributors that are failing to meet their obligations and endangering our communities."
"The United States military said on Monday that it would practice evacuating noncombatant Americans out of South Korea in the event of war and other emergencies, as the two allies began a joint naval exercise amid heightened tensions with North Korea. The evacuation drill, known as Courageous Channel, is scheduled from next Monday through Friday and is aimed at preparing American 'service members and their families to respond to a wide range of crisis management events such as noncombatant evacuation and natural or man-made disasters,' the United States military said in a statement."
Speaking at the Heritage Foundation Thursday, Speaker Paul Ryan threatened, "We’re going to keep people here for Christmas" if tax reform doesn't get passed. He added, "I don’t care. We have to get this done." However, hopefully this won't happen. Senate is set to pass a budget resolution next week and then resolve differences with the House. Hopefully the House will pass the measure and send it to the Senate by November.