With Congress still wrestling over health care and gearing up for a complicated fight on tax reform, the time hardly seems ripe for sweeping cybersecurity legislation. But the Equifax hack—perhaps the most egregious breach in the history of U.S. data security, with the private financial data of as many as 143 million Americans affected—could motivate Capitol Hill to pile more bills onto an already packed plate.
“If this doesn’t move the needle, it’s kind of hard to imagine what would,” said Steven Weber, the faculty director for the University of California (Berkeley) Center for Long-Term Cybersecurity. The House and Senate are both set to hold hearings early next month on the credit-reporting service’s data-security practices, and experts believe the hack could spur federal lawmakers into bold action.
But a post-Equifax cybersecurity push would be a convoluted process. Lawmakers will have to decide whether they should work to change cybersecurity practices more broadly or focus on specific reforms to the credit-reporting industry. They’ll grapple with topics as varied as the complex liability regime governing data security in the United States, cybersecurity-information-sharing arrangements between private industry and law enforcement, and the wisdom of using Social Security numbers as universal identifiers. And they’ll do so against jurisdictional headwinds that make passing cybersecurity legislation an uphill battle.
“We’re going to have a public inquisition of Equifax executives before committees; I’m sure there’s going to be a lot of table-pounding,” said Edward McAndrew, a former federal cybercrimes prosecutor and now a lawyer at Ballard Spahr. “And it’ll be very interesting to see if this Congress, and this administration, can actually enact any sort of legislation.”
Equifax announced the massive data breach on Sept. 8, revealing that up to 143 million Americans had their names, Social Security and driver’s license numbers, and other personal financial information stolen by hackers. The firm was later accused of failing to patch vulnerable data-security systems over two months before the hack began, and of waiting too long from the time it first noticed the breach to when it notified law enforcement and the public. Equifax is now facing a slew of class-action lawsuits, investigations by the FBI and the Federal Trade Commission, and legal action from the state of Massachusetts.
But most cybersecurity experts say Congress also has a role to play in the wake of the hack. Low-hanging fruit includes a provision that would stop credit-reporting agencies from sending unsolicited consumer financial information to third parties (including would-be identity thieves). Sen. Elizabeth Warren introduced such a bill earlier this month, and experts say it’s a no-brainer to allow customers to “freeze” access to their credit files without incurring fees. “I think Congress should say, ‘Your credit reports are yours and [companies] can’t show them to anybody,’” said Herbert Lin, the senior cybersecurity researcher at Stanford University’s Center for International Security and Cooperation.
Congress could also work to bring cybersecurity standards at credit-reporting firms in line with standards imposed on the broader financial industry. While most of the U.S. economy remains outside federal cybersecurity rules, there are at least two federal statutes mandating a minimum level of data protection at Equifax and other credit-reporting companies. The problem, several experts say, is that those standards are lower than the ones imposed on banks. That’s backwards, since each of the three major credit-reporting firms possess the personal data of a much larger cross-section of Americans than any one bank does. “One approach, which seems—on the surface anyway—reasonable, is to hold them to the same kinds of cybersecurity standards that New York state is imposing on the banks, and sort of treat them like a financial institution,” Lin said.
Broader cybersecurity concerns could also come up in Congress. It’s notoriously difficult to sue U.S. firms for failing to secure personal data, because no federal standard exists through which consumers can prove harm and hold companies accountable for slip-ups like failing to patch vital systems. Tightening cybersecurity-liability standards could be on the table, if for no other reason than to push companies like Equifax to take more responsibility for data security rather than billing the damages to cyber-insurance policies. “Why should we be allowing them to hide behind an insurance policy because of their own negligence and complacency?” said Richard Forno, assistant director of the University of Maryland, Baltimore County’s Center for Cybersecurity.
Experts are split on other possible remedies, including the creation of a mandatory reporting system in which companies are required to inform federal law enforcement when they suspect a breach. While McAndrew said immediate notification is not feasible, given the complexity of determining whether a hack took place, an “early-warning system” could be implemented in which suspicious activity is forwarded to law enforcement under the threat of federal penalties. Lin, however, worried that would cause a flood of reports detailing every possible cyber-intrusion, which he believes would defeat the purpose.
Others have also floated the idea of Congress banning the use of Social Security numbers as universal identifiers, given how prevalent their theft has become in cyberspace. But many in the security community say it would be politically impossible for the federal government to issue new national identification numbers, and congressional efforts would be better focused elsewhere. “It’s so late that getting into a fight about it would almost be a distraction,” said Weber. “It will divert energy away from where something more important could happen.”
Few of these options are easy fixes, and most require the creation of complex frameworks to determine thresholds for minimum security and companies’ liability for breaches. Because of overlapping authorities on cybersecurity, those frameworks may be particularly difficult to navigate on Capitol Hill. “On an issue like this, there’s six or seven committees that can claim jurisdiction,” said Nathan Taylor, a cybersecurity lawyer at Morrison & Foerster. “So if you have to get through a number of different committees, negotiations with different committee staff, it doesn’t create a great recipe for success.”
What We're Following See More »
"The Trump administration is putting pressure on Senate Republicans to crack down on Democratic efforts to delay its agenda, fueling talk about the need for rules reform among Republicans on Capitol Hill. Republicans are in discussions with Democrats about bipartisan changes to Senate rules to speed up consideration of President Trump’s judicial and executive branch nominees, but if that effort flounders — as similar ones have in the past — they’re not ruling out unilateral action."
During his campaign, Donald Trump indicated to Washington Post reporters that he'd like to have White House employees sign nondisclosure agreements. That is, in fact, what he's done, according to a scoop by the Post's Ruth Marcus. "Some balked at first but, pressed by then-Chief of Staff Reince Priebus and the White House Counsel’s Office, ultimately complied, concluding that the agreements would likely not be enforceable in any event." The administration intended the agreements to remain in force beyond Trump's tenure. An early draft included penalties of up to $10 million.
"Trump is asking for a bill" that would effectively break the WTO. One of the core WTO principles — which has underpinned globalization and trade for 70 years — is an idea called 'most favored nation status.' Countries that belong to the WTO have all agreed to charge the same tariff rate for imports from all other WTO members." But Trump covets reciprocal tariffs "nation-by-nation, product-by-product." The GOP free-traders in Congress are unlikely to support such an effort.