Anti-hacking legislation now on the fritz

Lawmakers have been unable to move forward on legislation to protect shoppers’ personal data months after major hacks at Target, eBay, Neiman Marcus and other outlets left customers exposed.

Despite an initial flurry of activity on Capitol Hill, none of the multiple bills introduced in the wake of the massive Target data breach have moved out of committee. With time running out before the midterms and the end of the legislative session, the odds are increasing that Congress will fail to pass a bill this year.

“There’s always that possibility,” said Sen. Jay RockefellerJohn (Jay) Davison RockefellerSenate GOP rejects Trump’s call to go big on gun legislation Overnight Tech: Trump nominates Dem to FCC | Facebook pulls suspected baseball gunman's pages | Uber board member resigns after sexist comment Trump nominates former FCC Dem for another term MORE (D-W.Va.), who co-sponsored one of the data breach measures, about the chances of failure. “I never underestimate the power to screw up.”

Around the 2013 holiday shopping season, hackers hit Target and stole credit card, bank and personal information for as many as 110 million shoppers. Shortly after that breach was disclosed, Neiman Marcus announced that about 1 million credit cards had been exposed.

Similar news from the craft store Michaels, a series of hotel chains, universities and popular Web services such as Snapchat and eBay have sounded the alarm about the safety of users’ data in company hands.

According to a Gallup poll released on Friday, only 21 percent of the public has “a lot of trust” that businesses can safeguard their personal information. More than a third said that their trust had declined over the last year.

After the hacks, at least a half-dozen congressional committees held hearings on the issue across Capitol Hill. Multiple bills were introduced to protect people’s information, give more power to regulators and let consumers know if their data might have been stolen.  

Rockefeller, chairman of the Senate Commerce Committee, said having numerous committees with jurisdiction over the issue complicated matters.

In addition to his own panel, the Senate Banking, Homeland Security and Judiciary committees all have some authority over cybersecurity.

Rockefeller’s bill, introduced along with Sens. Dianne FeinsteinDianne Emiel FeinsteinChildren should not be human shields against immigration enforcement The Hill's Morning Report — Sponsored by PhRMA — Immigration drama grips Washington Grassley wants to subpoena Comey, Lynch after critical IG report MORE (D-Calif.), Mark PryorMark Lunsford PryorMedicaid rollback looms for GOP senators in 2020 Cotton pitches anti-Democrat message to SC delegation Ex-Sen. Kay Hagan joins lobby firm MORE (D-Ark.) and Bill NelsonClarence (Bill) William NelsonOvernight Defense: Defense spending bill amendments target hot-button issues | Space Force already facing hurdles | Senators voice 'deep' concerns at using military lawyers on immigration cases Rubio heckled by protestors outside immigration detention facility Obstacles to Trump's 'Space Force' could keep proposal grounded for now MORE (D-Fla.), would create a federal standard for companies to alert people if their information is exposed and require the Federal Trade Commission to issue data security standards.

Homeland Security Chairman Tom CarperThomas (Tom) Richard CarperOvernight Energy: Inhofe defends Pruitt after criticisms | Agency releases study on water contaminant | Trump rescinds Obama ocean policy Dems press EPA nominees on ethics, climate Overnight Energy: Senate panel sets Pruitt hearing | Colorado joins California with tougher emissions rules | Court sides with Trump on coal leasing program MORE (D-Del.), who has introduced a separate bill with Sen. Roy BluntRoy Dean BluntGOP senators introduce bill to prevent family separations at border Ernst, Fischer to square off for leadership post Facebook gives 500 pages of answers to lawmakers' data privacy questions MORE (R-Mo.), said that he has spoken with Majority Leader Harry ReidHarry Mason ReidAmendments fuel resentments within Senate GOP Donald Trump is delivering on his promises and voters are noticing Danny Tarkanian wins Nevada GOP congressional primary MORE (D-Nev.) about getting the committees to work together on the issue.

“He has done that, and I think there is a working group working at the staff level on this,” he told The Hill. “My hope is that we’ll hear something back very soon.”

It's not just jurisdictional squabbling. The policy, too, has also been hard to agree on.

One popular idea is establishing a federal standard for notifying users if their data may have been compromised in a hack. Currently, 47 states and the District of Columbia have a law on their books, but industry groups say that that creates a tiresome “patchwork” of regulations for them to deal with. 

A federal notification standard on its own should be easy enough to pass, said David French, a top lobbyist with the National Retail Federation.

“I think what bogs this debate down and what has always bogged this debate down is a question of what else to add to that,” he said. “I think a lot of people have a lot of different ideas about other pieces of legislation that they’d like to see go along with that.”

Not everyone agrees even on the notification standard, however.

Consumer interest advocates fear that any national standard would lower the bar for companies by preempting tough state laws in places including California

Ed Mierzwinski, the consumer program director at the public interest group U.S. PIRG, blamed “institutional problems” in Congress for the lack of legislative progress.  But he added “the bigger problem is it's legislation that, once you examine it, is just not necessary because the states have already done it.”

While Congress stalls, some companies are moving forward on their own.

Since the data breach, Target has announced that it will speed up its switch to advanced credit cards with embedded microchips, which are more secure than American cards with a magnetic stripe.

Retail and financial industry groups have also gotten together to share information about possible cyber threats, which could help firms spot weak security points and prepare for an attack.

To do more, security advocates have pushed for the Senate to pass a more comprehensive cybersecurity bill.

That effort could face an uphill climb, however, amid possible opposition from civil liberties groups and others worrying that it would give too much power to the government. When the Senate last tried to pass a cyber bill in 2012, the effort failed to overcome a Republican filibuster.

“The same forces are at work” preventing progress on a larger hacking bill, said French, “and those forces are things like complexity and diverse committee jurisdiction.”

A spokeswoman with the Financial Services Roundtable, though, said the group was hopeful something could get done this year.

“We are just hoping to get this done before there is another attack,” Alison Hawkins said in an email.