The congressional itch to "do something" on cybersecurity is especially pronounced after the Equifax breach, but whether lawmakers will go large, small or not at all is decidedly unclear.
Equifax affected so many consumers that lawmakers from both parties seem more determined than usual to make something happen on consumer data security and breach notification legislation that has stalled over multiple Congresses.
"Equifax may well be the tipping point that leads to action that can get through one or both chambers," said the Financial Services Roundtable's Jason Kratovil. "That is the hope."
FSR and the Retail Industry Leaders Association, among others, have been on the front lines of a push for a national breach notification standard — in place of a patchwork of 48 state standards — although the two groups frequently have clashed over the details.
In the House, Financial Services Chairman Jeb Hensarling, R-Texas, and financial institutions subcommittee Chairman Blaine Luetkemeyer, R-Mo., have been meeting with stakeholders on possible data-breach legislation. Committee member Patrick McHenry, R-N.C., has introduced a targeted bill that deals specifically with cybersecurity and other issues at consumer credit rating agencies such as Equifax.
McHenry is hoping to get a hearing on the proposal in the coming weeks, according to an aide to the lawmaker.
Lobbyists from different industries said the McHenry bill could move before the committee takes on a larger breach notification measure, which would check the post-Equifax "do-something" box, or it could be folded into a larger effort.
Hensarling hasn't appeared to be in a rush to move legislation, although he and Luetkemeyer both promised to revisit, and perhaps revise, data-breach legislation the committee passed last session.
"The majority is being tentative on this bill, this time around," said one private-sector source closely following the issue. "There are more traps than usual for the committee on this."
But a little healthy competition between committees might put the legislative effort on a faster track.
The House Energy and Commerce Committee has announced its own follow-up hearing for this Wednesday on "Securing Consumers' Credit Data in the Age of Digital Commerce," at the digital commerce and consumer protection subcommittee.
Energy and Commerce Chairman Greg Walden, R-Ore., and subcommittee Chairman Bob Latta, R-Ohio, both have been skeptical about data-breach legislation, but they may be even more wary of allowing the Financial Services Committee to get ahead with its own version of a bill.
The Financial Services panel announced it will have a subcommittee hearing the same day on consumer data vulnerabilities.
Both committees passed data-breach bills in the last Congress and were unable to iron out their differences, which prevented any measure from reaching the floor.
It's not clear if that dynamic persists, and the two panels still seem to be circling one another on the issue.
"We don't expect serious discussions of what should be in a bill at these hearings," said FSR's Kratovil. "But Equifax is an opportunity for the two committees to find common ground and unite."
In the Senate, the GOP leaders of the Banking, Commerce and Judiciary committees aren't revealing any plans yet for next steps, either on breach notification in general or on credit rating agencies in particular.
Senators from both parties this week pointed to a bipartisan Senate working group on the breach-notification issue.
Sen. Mark Warner, D-Va., has been leading discussions among senators in that group, but congressional and other sources said an actual legislative product isn't imminent. "They are relooking at all their past work through a post-Equifax lens," said one industry source.
The Senate leadership, like that in the House, will be looking to see whether lawmakers can get over their jurisdictional and substantive differences this time before committing floor time to legislation.
That will be the test for whether intense interest in"doing something" actually translates into a new national approach to data security and consumer notification of breaches — after 145 million Americans learned their most sensitive financial data was now for sale on the digital black market.
Charlie Mitchell is editor of InsideCybersecurity.com, an exclusive service coveringcybersecurity policy from Inside Washington Publishers, and author of "Hacked: The InsideStory of America's Struggle to Secure Cyberspace," published by Rowman and Littlefield.