Lawmakers have been unable to move forward on legislation to protect shoppers’ personal data months after major hacks at Target, eBay, Neiman Marcus and other outlets left customers exposed.
Despite an initial flurry of activity on Capitol Hill, none of the multiple bills introduced in the wake of the massive Target data breach have moved out of committee. With time running out before the midterms and the end of the legislative session, the odds are increasing that Congress will fail to pass a bill this year.
Around the 2013 holiday shopping season, hackers hit Target and stole credit card, bank and personal information for as many as 110 million shoppers. Shortly after that breach was disclosed, Neiman Marcus announced that about 1 million credit cards had been exposed.
Similar news from the craft store Michaels, a series of hotel chains, universities and popular Web services such as Snapchat and eBay have sounded the alarm about the safety of users’ data in company hands.
According to a Gallup poll released on Friday, only 21 percent of the public has “a lot of trust” that businesses can safeguard their personal information. More than a third said that their trust had declined over the last year.
After the hacks, at least a half-dozen congressional committees held hearings on the issue across Capitol Hill. Multiple bills were introduced to protect people’s information, give more power to regulators and let consumers know if their data might have been stolen.
Rockefeller, chairman of the Senate Commerce Committee, said having numerous committees with jurisdiction over the issue complicated matters.
In addition to his own panel, the Senate Banking, Homeland Security and Judiciary committees all have some authority over cybersecurity.
Rockefeller’s bill, introduced along with Sens. Dianne FeinsteinDianne FeinsteinSenate to vote Friday on Trump's defense picks Senate seeks deal on Trump nominees Manning commutation sparks Democratic criticism MORE (D-Calif.), Mark PryorMark PryorCotton pitches anti-Democrat message to SC delegation Ex-Sen. Kay Hagan joins lobby firm Top Democrats are no advocates for DC statehood MORE (D-Ark.) and Bill NelsonBill NelsonLive coverage: Senators grill Trump's Treasury pick Trump's Commerce pick admits to unknowingly hiring undocumented worker Senate Democrats brace for Trump era MORE (D-Fla.), would create a federal standard for companies to alert people if their information is exposed and require the Federal Trade Commission to issue data security standards.
Homeland Security Chairman Tom CarperTom CarperPruitt says his EPA will work with the states Dems prepare to face off with Trump's pick to lead EPA Justice, FBI to be investigated over Clinton probes MORE (D-Del.), who has introduced a separate bill with Sen. Roy BluntRoy BluntTrump told of unsubstantiated Russian effort to compromise him Overnight Tech: Tech listens for clues at Sessions hearing | EU weighs expanding privacy rule | Senators blast Backpage execs A bitter end to the VA status quo MORE (R-Mo.), said that he has spoken with Majority Leader Harry ReidHarry ReidThe DC bubble is strangling the DNC Dems want Sessions to recuse himself from Trump-Russia probe Ryan says Trump, GOP 'in complete sync' on ObamaCare MORE (D-Nev.) about getting the committees to work together on the issue.
“He has done that, and I think there is a working group working at the staff level on this,” he told The Hill. “My hope is that we’ll hear something back very soon.”
It's not just jurisdictional squabbling. The policy, too, has also been hard to agree on.
One popular idea is establishing a federal standard for notifying users if their data may have been compromised in a hack. Currently, 47 states and the District of Columbia have a law on their books, but industry groups say that that creates a tiresome “patchwork” of regulations for them to deal with.
A federal notification standard on its own should be easy enough to pass, said David French, a top lobbyist with the National Retail Federation.
“I think what bogs this debate down and what has always bogged this debate down is a question of what else to add to that,” he said. “I think a lot of people have a lot of different ideas about other pieces of legislation that they’d like to see go along with that.”
Not everyone agrees even on the notification standard, however.
Consumer interest advocates fear that any national standard would lower the bar for companies by preempting tough state laws in places including California
Ed Mierzwinski, the consumer program director at the public interest group U.S. PIRG, blamed “institutional problems” in Congress for the lack of legislative progress. But he added “the bigger problem is it's legislation that, once you examine it, is just not necessary because the states have already done it.”
While Congress stalls, some companies are moving forward on their own.
Since the data breach, Target has announced that it will speed up its switch to advanced credit cards with embedded microchips, which are more secure than American cards with a magnetic stripe.
Retail and financial industry groups have also gotten together to share information about possible cyber threats, which could help firms spot weak security points and prepare for an attack.
To do more, security advocates have pushed for the Senate to pass a more comprehensive cybersecurity bill.
That effort could face an uphill climb, however, amid possible opposition from civil liberties groups and others worrying that it would give too much power to the government. When the Senate last tried to pass a cyber bill in 2012, the effort failed to overcome a Republican filibuster.
“The same forces are at work” preventing progress on a larger hacking bill, said French, “and those forces are things like complexity and diverse committee jurisdiction.”
A spokeswoman with the Financial Services Roundtable, though, said the group was hopeful something could get done this year.
“We are just hoping to get this done before there is another attack,” Alison Hawkins said in an email.