What will it take for Congress to act on a data breach?
WASHINGTON — As massive data breaches have become a regular occurrence, analysts now expect a similar response from policymakers: immediate outrage, some discussion of perennial bills to improve cybersecurity and data breach response measures, and ultimately no legislative progress.
And so was the sequence of the past week following news that as many as 500 million guests of Starwood hotels had their personal information exposed in a hack of the Marriott International subsidiary. Some lawmakers responded to the news with revived calls for data breach notification standards and other reforms, but then attention quickly diverted to other issues.
Some suggest that the public has now become so desensitized to data breaches that the lack of any policy response to cyber worries is a new normal. It may be up to the private sector to mitigate the harm.
“We’ve come to acknowledge that, unfortunately, breaches are going to happen, and discussions will really need to be centered on what companies can do to mitigate risks and potential consumer harm,” said Antonio Reynolds, a partner at Buckley Sandler.
The Starwood breach came just over a year after the Equifax breach exposed personal information, including Social Security numbers, from the credit files of roughly 148 million people. Washington was up in arms over that breach, and lawmakers pushed various pieces of legislation. But the frustration subsided fairly swiftly.
After the most recent hack became public Nov. 30, there were similar recriminations and calls for legislation. Analysts predict that the Starwood episode could result in congressional hearings with Marriott executives and perhaps some discussion about reforms, but the latest cyber intrusion is probably not enough to bring about legislation.
“It will elevate the issue,” said Brian Gardner, a policy analyst at Keefe, Bruyette & Woods. “Whether it elevates toward congressional action is harder to say.”
“When you add on that it’s just a complex issue to begin with, I’m not convinced Congress is actually going to legislate,” Gardner said. “I think there are going to be a ton of oversight hearings. I think that Congress will beat up on industry players. I think that the [Federal Trade Commission] is going to get hauled up to Congress. … Passing legislation is tougher to do.”
After the Equifax breach, several proposals were introduced and reintroduced, from mandating how companies notify customers of a breach, to a bill authored by Sens. Mark Warner, D-Va., and Elizabeth Warren, D-Mass., imposing hefty mandatory penalties for companies with lax security that results in the exposure of personal information.
But some lawmakers and industry groups worry the penalties would impose undue harm if the breaches don’t always involve negligence by the companies.
“Efforts to pass federal legislation on data breaches have largely failed to get much traction, and broad measures that would hit companies with big penalties for breaches are a bit Draconian,” Reynolds said.
Rep. Blaine Luetkemeyer, R-Mo., a senior member of the House Financial Services Committee, introduced his own bill to enact a federal data breach notification standard. But that legislation has faced backlash from consumer groups concerned that it would preempt state laws that already have stricter consumer protections.
“Many states have passed laws that give consumers protections,” said Ed Mierzwinski, senior director of federal consumer protection for U.S. Public Interest Research Group. “Many more states have laws that require you to notify consumers if you lose information at all.”
“We prefer that companies just do one thing: comply with the strongest state laws nationwide,” Mierzwinski added. “Federal law should always be a floor of protection.”
To further complicate things, data security falls under the jurisdiction of multiple congressional committees — including banking, judiciary, finance and commerce — posing a challenge for building consensus on data breach reforms.
The multijurisdictional hurdle for data security legislation was illustrated in congressional hearings with Richard Smith, the former chief executive at Equifax. He testified before the banking and commerce committees in both chambers, as well as before the Senate Judiciary Committee.
“When issues span multiple Senate committees it can lead to either congressional gridlock ... as was the case with China’s currency manipulation in the last decade,” said Aaron Klein, economic studies policy director at the Brookings Institution.
“Other times committees can race each other with building information and work more collaboratively and combine their work together because nobody wants to be left behind,” Klein added.
But some members of Congress aren’t willing to give up on a legislative path forward to protect consumer data.
Warner has indicated at several Senate Banking Committee hearings that data breach legislation will be a priority in the next Congress.
“It seems like every other day we learn about a new mega-breach affecting the personal data of millions of Americans,” Warner said in a press release following the announcement of the Marriott breach. “Rather than accepting this trend as the new normal, this latest incident should strengthen Congress’ resolve.
"We must pass laws that require data minimization, ensuring companies do not keep sensitive data that they no longer need. And it is past time we enact data security laws that ensure companies account for security costs rather than making their consumers shoulder the burden and harms resulting from these lapses.”
Sen. Ron Wyden, D-Ore., who is the ranking member of the Senate Finance Committee, introduced another bill to combat data breaches last month. His bill would include steep penalties for firms with lax protocols. The bill would also create a “Do Not Track” system to enable consumers to stop third-party companies from tracking them on the web.
But Klein said there still has not been a cyber incident serious enough to force Congress to really bear down on the issue.
“It would require an incident far greater than any that we’ve experienced to create the external must-pass shock,” Klein said. “Breaches of the Yahoo, Marriott, Home Depot variety are not enough.”
Justin Schardin, a fellow at the Bipartisan Policy Center, said he could see the issue move through the Democratic House in the next Congress under the leadership of Rep. Maxine Waters, D-Calif., who is expected to chair the House Financial Services Committee.
“There’s always one incident that pushes it over the edge where Congress acts. ... And I don’t know if [the Starwood breach] is going to be the one,” said Schardin. “I think the House is likely to pass several bills on financial services as well as Congress. … Chairman Waters is really focused on consumer protection issues, so this would really sit with what she really wants to do.”