Yahoo hack spurs push for legislation

Yahoo hack spurs push for legislation
© Getty Images

Supporters of legislation that would dictate how and when companies have to notify customers of a data breach are seizing on the hack of 500 million Yahoo accounts to push their effort forward.

“We haven’t hit that sweet spot quite yet, but we’re close. I’m hoping this revelation about Yahoo will provide the needed impetus to get across the finish line,” Sen. John ThuneJohn Randolph ThuneSenate weighs new Russia response amid Trump backlash GOP senators introduce resolution endorsing ICE The real reason Scott Pruitt is gone: Putting a key voting bloc at risk MORE (R-S.D.) told reporters this week.

ADVERTISEMENT
Thune, the Commerce Committee chairman, is in talks with a handful of senators, some of whom have competing proposals to address data breach rules.

Data breach legislation generally is seen as the next cybersecurity frontier for Congress, but so far lawmakers have been unable to coalesce around a single proposal.

In the upper chamber, Sens. Tom CarperThomas (Tom) Richard CarperOvernight Energy: Fewer than half of school districts test for lead | Dems slam proposed changes to Endangered Species Act | FEMA avoids climate change when discussing plan for future storms Dems slam proposed changes to Endangered Species Act Full interview: Democratic candidate Kerri Evelyn Harris discusses her Senate campaign in Delaware MORE (D-Del.) and Roy BluntRoy Dean BluntOvernight Defense: Fallout from tense NATO summit | Senators push to block ZTE deal in defense bill | Blackwater founder makes new pitch for mercenaries to run Afghan war Hillicon Valley: DOJ appeals AT&T-Time Warner ruling | FBI agent testifies in heated hearing | Uproar after FCC changes rules on consumer complaints | Broadcom makes bid for another US company | Facebook under fire over conspiracy sites Hillicon Valley: Justice Department appeals AT&T-Time Warner ruling | New report on election security | FBI agent testifies in marathon hearing MORE (R-Mo.) have put forward a bill that has support from the financial services industry. Commerce Committee ranking member Bill NelsonClarence (Bill) William NelsonSenate Dems build huge cash edge in battlegrounds Hillicon Valley: Trump tries to quell Russia furor | Sparks fly at hearing on social media | First House Republican backs net neutrality bill | Meet the DNC's cyber guru | Sinclair defiant after merger setback Senate Dems rip Trump after Putin news conference MORE (D-Fla.) has put forward a similar offering that mirrors a White House proposal. 

Sen. Mark WarnerMark Robert WarnerSenate Dems press for info on any deals from Trump-Putin meeting Overnight Defense: Trump tries to quell Russia furor | GOP looks to reassure NATO | Mattis open to meeting Russian counterpart Hillicon Valley: Trump tries to quell Russia furor | Sparks fly at hearing on social media | First House Republican backs net neutrality bill | Meet the DNC's cyber guru | Sinclair defiant after merger setback MORE (D-Va.) is also circulating a data breach proposal that has yet to be formally introduced but is drawing early support from the retail industry.

Meanwhile, Judiciary Committee ranking member Patrick LeahyPatrick Joseph LeahySenate Dems protest vote on controversial court pick Budget chairs press appropriators on veterans spending Kavanaugh paper chase heats up MORE (D-Vt.), along with five other Democrats, introduced an offering seen as the preferred option of privacy and consumer advocates.

The picture is equally complicated in the House, where negotiations to merge a companion to the Carper-Blunt offering with an Energy and Commerce Committee proposal supported by retailers have apparently stalled.

Lawmakers for close to 10 years sought to set some kind of national law on data breach notifications much success, until a spate of high-profile retail breaches in 2015 breathed new life into security legislation — creating a glut of options. 

The Yahoo breach has drawn particular attention not only for its size — 500 million accounts were exposed by hackers Yahoo says were nation state actors — but for the time the company took to notify victims.

The breach occurred in 2014, with Yahoo only announcing it this month. But reports indicate that the company may have been aware of the hack in July or August of this year.

The timing of the disclosure drew swift criticism from lawmakers who suggested that the company might have sat on the breach to avoid disrupting a purchase deal with Verizon.

“As law enforcement and regulators examine this incident, they should investigate whether Yahoo may have concealed its knowledge of this breach in order to artificially bolster its valuation in its pending acquisition by Verizon,” Sen. Richard Blumenthal (D-Conn.), who backs the Leahy bill, said in a statement.   

“This breach demonstrates the urgent need for Congress to enact data breach and security legislation — only stiffer enforcement and stringent penalties will make sure companies are properly and promptly notifying consumers when their data has been compromised.”

All of the various offerings in Congress would set a national standard for security protections, as well as dictate disclosure rules.

But partisan scuffling over whether different proposals would preempt existent state data security regulations have stymied progress. 

In the Senate, Leahy’s bill protects stronger state data security requirements, a key sticking point for several Democrats who fear a weak federal standard might lessen consumer protections.

In the House, the Energy and Commerce bill has faced criticism from Democrats who say it would do away with stronger consumer protections at the state level.

The various proposals have also pitted financial services organizations against retailers.

The banking industry is pushing for retailers and others to be held to the same standards financial institutions already have to meet under the Gramm-Leach-Bliley Act.

Retailers, meanwhile, want a federal law to do away with the patchwork of state-by-state regulation — but are wary of having regulations from another industry pasted onto their own. They have publicly supported the Energy and Commerce bill, put forward by Reps. Marsha BlackburnMarsha BlackburnSenate Dems build huge cash edge in battlegrounds Lawmakers split over how to expand rural broadband Sparks fly at hearing on anti-conservative bias in tech MORE (R-Tenn.) and Peter WelchPeter Francis WelchDems struggle with unity amid leadership tensions New Dem star to rattle DC establishment Overnight Defense: Defense spending bill amendments target hot-button issues | Space Force already facing hurdles | Senators voice 'deep' concerns at using military lawyers on immigration cases MORE (D-Vt.).

The Financial Services Roundtable, meanwhile, backs the Carper-Blunt proposal, introduced by Rep. Randy NeugebauerRobert (Randy) Randolph NeugebauerCordray announces he's leaving consumer bureau, promotes aide to deputy director GOP eager for Trump shake-up at consumer bureau Lobbying World MORE (R-Texas) in the House.

Retailers warn the bill would be overly burdensome to some smaller businesses while allowing other companies — like third-party vendors and financial institutions — to escape regulation altogether.

Thune has not thrown his weight behind any specific proposal, and his office declined to comment on specific members involved in the talks, noting only that he has had discussions with several colleagues and plans additional outreach.

Warner, Carper, Blunt and Nelson are involved, according a Senate aide and an industry source tracking the talks. 

A spokesman for Senate Judiciary Chairman Chuck GrassleyCharles (Chuck) Ernest GrassleySenate GOP poised to break record on Trump's court picks This week: GOP mulls vote on ‘abolish ICE’ legislation Kavanaugh paper chase heats up MORE (R-Iowa) also said that he is part of the talks, as is Sen. Dianne FeinsteinDianne Emiel FeinsteinThe Hill's Morning Report — Trump, Putin meet under cloud of Mueller’s Russia indictments Dems launch pressure campaign over migrant families California Dems endorse progressive challenger over Feinstein MORE (D-Calif.), according to a congressional source. 

The common consensus is that if there is movement on data breach legislation — in either chamber — it is likely to wait until the early part of 2017.

“The question ultimately is, is there the will to do it in the lame duck?” said a retail industry source tracking the issue.

“My sense is that’s not the case, but I think the first part of next year is probably the best time to get that done,” he said, a viewpoint backed up by a Senate aide close to the negotiations.

“We’ve been really close, but it’s complicated and there are a lot of different stakeholders that have different equities in this,” Thune said Tuesday.