In the aftermath of the breach at consumer credit rating agency Equifax, during which the company was widely criticized for waiting six weeks to notify consumers of the hack, one would think a requirement to notify consumers within a certain amount of time would be an obvious policy option. Yet such a requirement has been one of the most difficult cyber issues for lawmakers to address.
Multiple congressional panels are investigating the breach, which affected 143 million U.S. consumers and has been attributed to poor “patching” practices at the firm, meaning it may not have used readily available fixes to plug cyber vulnerabilities.
Forty-eight states and the District of Columbia have already adopted notification standards, generally requiring that consumers be informed of a breach affecting their data within 30 days of discovery, although the standards vary.
Why has it been so hard to create a national standard?
House Energy and Commerce Chairman Rep. Greg Walden, R-Ore., whose committee expects to hear testimony soon from Equifax CEO Richard Smith, recently noted on CNBC that his panel has conducted “multiple hearings on cybersecurity and data-breach,” and that “almost every witness said ‘don’t tie our hands’ ” in law because the threat was too dynamic and fast-changing.
Regulatory requirements “may be” the answer, Walden said, but lawmakers need to study the problem more closely.
In the last Congress, Walden’s panel and the House Financial Services Committee each passed a data-breach bill, but the measures couldn’t reach the floor amid disagreements between the committees and between the financial and retail sectors over the nature of the proposed requirements.
Now, even with Equifax fresh in lawmakers’ minds, sources on and off Capitol Hill say there has yet to be any movement toward resolving these differences.
The Energy and Commerce and Financial Services panels haven’t said whether they will move their respective bills again this year, though Rep. James Langevin, D-R.I., a long-time activist on cyber issues, moved quickly to re-introduce his own data-breach bill after the Equifax hack came to light.
In the Senate, data-breach legislation didn’t move at all last session and the relevant committees say no plans are in the works so far.
The Commerce Committee is investigating the Equifax breach but has yet to announce hearings or any legislative plans.
Likewise, the Senate Finance, Judiciary and Banking committees are seeking answers from the company but have no legislative plans on this topic, according to committee sources.
Some sources suggested Equifax could create momentum for a more-focused, perhaps easier-to-pass legislation addressing consumer credit rating agencies.
“This might be a little different because we are talking about a very small set of companies [credit score organizations],” said Brian Finch of Pillsbury Winthrop Shaw Pittman LLP. “That changes the calculation some as it could be a little easier to push regulations on a few companies rather than a large swath of the economy.”
Others, including Federal Trade Commissioner Terrell McSweeny, said the incident underscores the need for legislation giving agencies such as the FTC proactive authority to set cyber standards.
An array of jurisdictional issues, both among congressional committees and between states and the federal government, has made data-breach legislation one of the most difficult cyber policy questions for lawmakers to tackle.
Strong disagreements exist over issues such as related security standards and timing for notifications. Congressional leaders so far have refrained from choosing sides between committees or industries, and have not compelled lawmakers to reach a compromise and move a bill.
But timely notification is clearly something consumers should expect, especially in the case of credit rating agencies that give consumers no say in the data they are obtaining and holding.
Charlie Mitchell is editor of InsideCybersecurity.com, an exclusive service covering cybersecurity policy from Inside Washington Publishers, and author of “Hacked: The Inside Story of America’s Struggle to Secure Cyberspace,” published by Rowman and Littlefield.
