Anti-hacking legislation now on the fritz

Lawmakers have been unable to move forward on legislation to protect shoppers’ personal data months after major hacks at Target, eBay, Neiman Marcus and other outlets left customers exposed.

Despite an initial flurry of activity on Capitol Hill, none of the multiple bills introduced in the wake of the massive Target data breach have moved out of committee. With time running out before the midterms and the end of the legislative session, the odds are increasing that Congress will fail to pass a bill this year.

“There’s always that possibility,” said Sen. Jay RockefellerJohn (Jay) Davison RockefellerSenate GOP rejects Trump’s call to go big on gun legislation Overnight Tech: Trump nominates Dem to FCC | Facebook pulls suspected baseball gunman's pages | Uber board member resigns after sexist comment Trump nominates former FCC Dem for another term MORE (D-W.Va.), who co-sponsored one of the data breach measures, about the chances of failure. “I never underestimate the power to screw up.”

Around the 2013 holiday shopping season, hackers hit Target and stole credit card, bank and personal information for as many as 110 million shoppers. Shortly after that breach was disclosed, Neiman Marcus announced that about 1 million credit cards had been exposed.

Similar news from the craft store Michaels, a series of hotel chains, universities and popular Web services such as Snapchat and eBay have sounded the alarm about the safety of users’ data in company hands.

According to a Gallup poll released on Friday, only 21 percent of the public has “a lot of trust” that businesses can safeguard their personal information. More than a third said that their trust had declined over the last year.

After the hacks, at least a half-dozen congressional committees held hearings on the issue across Capitol Hill. Multiple bills were introduced to protect people’s information, give more power to regulators and let consumers know if their data might have been stolen.  

Rockefeller, chairman of the Senate Commerce Committee, said having numerous committees with jurisdiction over the issue complicated matters.

In addition to his own panel, the Senate Banking, Homeland Security and Judiciary committees all have some authority over cybersecurity.

Rockefeller’s bill, introduced along with Sens. Dianne FeinsteinDianne Emiel FeinsteinJeh Johnson: Media focused on 'Access Hollywood' tape instead of Russian meddling ahead of election What’s genius for Obama is scandal when it comes to Trump Coalition presses Transportation Dept. for stricter oversight of driverless cars MORE (D-Calif.), Mark PryorMark Lunsford PryorMedicaid rollback looms for GOP senators in 2020 Cotton pitches anti-Democrat message to SC delegation Ex-Sen. Kay Hagan joins lobby firm MORE (D-Ark.) and Bill NelsonClarence (Bill) William NelsonSteyer brings his push to impeach Trump to town halls across the nation Overnight Defense: Senate sides with Trump on military role in Yemen | Dem vets push for new war authorization on Iraq anniversary | General says time isn't 'right' for space corps Senate sides with Trump on providing Saudi military support MORE (D-Fla.), would create a federal standard for companies to alert people if their information is exposed and require the Federal Trade Commission to issue data security standards.

Homeland Security Chairman Tom CarperThomas (Tom) Richard CarperWarren turns focus to Kushner’s loans Overnight Energy: Dems probe EPA security contract | GAO expands inquiry into EPA advisory boards | Dems want more time to comment on drilling plan Overnight Regulation: Senate takes first step to passing Dodd-Frank rollback | House passes bill requiring frequent reviews of financial regs | Conservatives want new checks on IRS rules MORE (D-Del.), who has introduced a separate bill with Sen. Roy BluntRoy Dean BluntFunding bill gives billion boost for NIH medical research Spending talks face new pressure Senate GOP shoots down bill blocking Trump tariffs MORE (R-Mo.), said that he has spoken with Majority Leader Harry ReidHarry Mason ReidTrump presses GOP to change Senate rules Only thing Defense’s UFO probe proves is power of political favors Nevada Democrat accused of sexual harassment reconsiders retirement: report MORE (D-Nev.) about getting the committees to work together on the issue.

“He has done that, and I think there is a working group working at the staff level on this,” he told The Hill. “My hope is that we’ll hear something back very soon.”

It's not just jurisdictional squabbling. The policy, too, has also been hard to agree on.

One popular idea is establishing a federal standard for notifying users if their data may have been compromised in a hack. Currently, 47 states and the District of Columbia have a law on their books, but industry groups say that that creates a tiresome “patchwork” of regulations for them to deal with. 

A federal notification standard on its own should be easy enough to pass, said David French, a top lobbyist with the National Retail Federation.

“I think what bogs this debate down and what has always bogged this debate down is a question of what else to add to that,” he said. “I think a lot of people have a lot of different ideas about other pieces of legislation that they’d like to see go along with that.”

Not everyone agrees even on the notification standard, however.

Consumer interest advocates fear that any national standard would lower the bar for companies by preempting tough state laws in places including California

Ed Mierzwinski, the consumer program director at the public interest group U.S. PIRG, blamed “institutional problems” in Congress for the lack of legislative progress.  But he added “the bigger problem is it's legislation that, once you examine it, is just not necessary because the states have already done it.”

While Congress stalls, some companies are moving forward on their own.

Since the data breach, Target has announced that it will speed up its switch to advanced credit cards with embedded microchips, which are more secure than American cards with a magnetic stripe.

Retail and financial industry groups have also gotten together to share information about possible cyber threats, which could help firms spot weak security points and prepare for an attack.

To do more, security advocates have pushed for the Senate to pass a more comprehensive cybersecurity bill.

That effort could face an uphill climb, however, amid possible opposition from civil liberties groups and others worrying that it would give too much power to the government. When the Senate last tried to pass a cyber bill in 2012, the effort failed to overcome a Republican filibuster.

“The same forces are at work” preventing progress on a larger hacking bill, said French, “and those forces are things like complexity and diverse committee jurisdiction.”

A spokeswoman with the Financial Services Roundtable, though, said the group was hopeful something could get done this year.

“We are just hoping to get this done before there is another attack,” Alison Hawkins said in an email.