Anti-hacking legislation now on the fritz

Lawmakers have been unable to move forward on legislation to protect shoppers’ personal data months after major hacks at Target, eBay, Neiman Marcus and other outlets left customers exposed.

Despite an initial flurry of activity on Capitol Hill, none of the multiple bills introduced in the wake of the massive Target data breach have moved out of committee. With time running out before the midterms and the end of the legislative session, the odds are increasing that Congress will fail to pass a bill this year.

ADVERTISEMENT
“There’s always that possibility,” said Sen. Jay Rockefeller (D-W.Va.), who co-sponsored one of the data breach measures, about the chances of failure. “I never underestimate the power to screw up.”

Around the 2013 holiday shopping season, hackers hit Target and stole credit card, bank and personal information for as many as 110 million shoppers. Shortly after that breach was disclosed, Neiman Marcus announced that about 1 million credit cards had been exposed.

Similar news from the craft store Michaels, a series of hotel chains, universities and popular Web services such as Snapchat and eBay have sounded the alarm about the safety of users’ data in company hands.

According to a Gallup poll released on Friday, only 21 percent of the public has “a lot of trust” that businesses can safeguard their personal information. More than a third said that their trust had declined over the last year.

After the hacks, at least a half-dozen congressional committees held hearings on the issue across Capitol Hill. Multiple bills were introduced to protect people’s information, give more power to regulators and let consumers know if their data might have been stolen.  

Rockefeller, chairman of the Senate Commerce Committee, said having numerous committees with jurisdiction over the issue complicated matters.

In addition to his own panel, the Senate Banking, Homeland Security and Judiciary committees all have some authority over cybersecurity.

Rockefeller’s bill, introduced along with Sens. Dianne Feinstein (D-Calif.), Mark Pryor (D-Ark.) and Bill Nelson (D-Fla.), would create a federal standard for companies to alert people if their information is exposed and require the Federal Trade Commission to issue data security standards.

Homeland Security Chairman Tom Carper (D-Del.), who has introduced a separate bill with Sen. Roy Blunt (R-Mo.), said that he has spoken with Majority Leader Harry Reid (D-Nev.) about getting the committees to work together on the issue.

“He has done that, and I think there is a working group working at the staff level on this,” he told The Hill. “My hope is that we’ll hear something back very soon.”

It's not just jurisdictional squabbling. The policy, too, has also been hard to agree on.

One popular idea is establishing a federal standard for notifying users if their data may have been compromised in a hack. Currently, 47 states and the District of Columbia have a law on their books, but industry groups say that that creates a tiresome “patchwork” of regulations for them to deal with. 

A federal notification standard on its own should be easy enough to pass, said David French, a top lobbyist with the National Retail Federation.

“I think what bogs this debate down and what has always bogged this debate down is a question of what else to add to that,” he said. “I think a lot of people have a lot of different ideas about other pieces of legislation that they’d like to see go along with that.”

Not everyone agrees even on the notification standard, however.

Consumer interest advocates fear that any national standard would lower the bar for companies by preempting tough state laws in places including California

Ed Mierzwinski, the consumer program director at the public interest group U.S. PIRG, blamed “institutional problems” in Congress for the lack of legislative progress.  But he added “the bigger problem is it's legislation that, once you examine it, is just not necessary because the states have already done it.”

While Congress stalls, some companies are moving forward on their own.

Since the data breach, Target has announced that it will speed up its switch to advanced credit cards with embedded microchips, which are more secure than American cards with a magnetic stripe.

Retail and financial industry groups have also gotten together to share information about possible cyber threats, which could help firms spot weak security points and prepare for an attack.

To do more, security advocates have pushed for the Senate to pass a more comprehensive cybersecurity bill.

That effort could face an uphill climb, however, amid possible opposition from civil liberties groups and others worrying that it would give too much power to the government. When the Senate last tried to pass a cyber bill in 2012, the effort failed to overcome a Republican filibuster.

“The same forces are at work” preventing progress on a larger hacking bill, said French, “and those forces are things like complexity and diverse committee jurisdiction.”

A spokeswoman with the Financial Services Roundtable, though, said the group was hopeful something could get done this year.

“We are just hoping to get this done before there is another attack,” Alison Hawkins said in an email.