Anti-hacking legislation now on the fritz

Lawmakers have been unable to move forward on legislation to protect shoppers’ personal data months after major hacks at Target, eBay, Neiman Marcus and other outlets left customers exposed.

Despite an initial flurry of activity on Capitol Hill, none of the multiple bills introduced in the wake of the massive Target data breach have moved out of committee. With time running out before the midterms and the end of the legislative session, the odds are increasing that Congress will fail to pass a bill this year.

“There’s always that possibility,” said Sen. Jay RockefellerJay RockefellerOvernight Tech: Trump nominates Dem to FCC | Facebook pulls suspected baseball gunman's pages | Uber board member resigns after sexist comment Trump nominates former FCC Dem for another term Obama to preserve torture report in presidential papers MORE (D-W.Va.), who co-sponsored one of the data breach measures, about the chances of failure. “I never underestimate the power to screw up.”

Around the 2013 holiday shopping season, hackers hit Target and stole credit card, bank and personal information for as many as 110 million shoppers. Shortly after that breach was disclosed, Neiman Marcus announced that about 1 million credit cards had been exposed.

Similar news from the craft store Michaels, a series of hotel chains, universities and popular Web services such as Snapchat and eBay have sounded the alarm about the safety of users’ data in company hands.

According to a Gallup poll released on Friday, only 21 percent of the public has “a lot of trust” that businesses can safeguard their personal information. More than a third said that their trust had declined over the last year.

After the hacks, at least a half-dozen congressional committees held hearings on the issue across Capitol Hill. Multiple bills were introduced to protect people’s information, give more power to regulators and let consumers know if their data might have been stolen.  

Rockefeller, chairman of the Senate Commerce Committee, said having numerous committees with jurisdiction over the issue complicated matters.

In addition to his own panel, the Senate Banking, Homeland Security and Judiciary committees all have some authority over cybersecurity.

Rockefeller’s bill, introduced along with Sens. Dianne FeinsteinDianne Emiel FeinsteinGrassley blasts Democrats over unwillingness to probe Clinton Avalanche of Democratic senators say Franken should resign Blumenthal: ‘Credible case' of obstruction of justice can be made against Trump MORE (D-Calif.), Mark PryorMark PryorMedicaid rollback looms for GOP senators in 2020 Cotton pitches anti-Democrat message to SC delegation Ex-Sen. Kay Hagan joins lobby firm MORE (D-Ark.) and Bill NelsonClarence (Bill) William NelsonOvernight Health Care: Ryan's office warns he wasn't part of ObamaCare deal | House conservatives push for mandate repeal in final tax bill | Dem wants probe into CVS-Aetna merger Ryan's office warning he wasn't part of deal on ObamaCare: source Overnight Health Care: Funding bill could provide help for children's health program | Questions for CVS-Aetna deal | Collins doubles funding ask for ObamaCare bill MORE (D-Fla.), would create a federal standard for companies to alert people if their information is exposed and require the Federal Trade Commission to issue data security standards.

Homeland Security Chairman Tom CarperThomas (Tom) Richard CarperAvalanche of Democratic senators say Franken should resign Overnight Cybersecurity: Mueller probe cost .7M in early months | Senate confirms Homeland Security nominee | Consumer agency limits data collection | Arrest in Andromeda botnet investigation Senate panel moves forward with bill to roll back Dodd-Frank MORE (D-Del.), who has introduced a separate bill with Sen. Roy BluntRoy Dean BluntDems push for more money for opioid fight Trump asked Senate Republicans to end Russia election interference investigation: report An overlooked solution to the opioid epidemic MORE (R-Mo.), said that he has spoken with Majority Leader Harry ReidHarry ReidBill O'Reilly: Politics helped kill Kate Steinle, Zarate just pulled the trigger Tax reform is nightmare Déjà vu for Puerto Rico Ex-Obama and Reid staffers: McConnell would pretend to be busy to avoid meeting with Obama MORE (D-Nev.) about getting the committees to work together on the issue.

“He has done that, and I think there is a working group working at the staff level on this,” he told The Hill. “My hope is that we’ll hear something back very soon.”

It's not just jurisdictional squabbling. The policy, too, has also been hard to agree on.

One popular idea is establishing a federal standard for notifying users if their data may have been compromised in a hack. Currently, 47 states and the District of Columbia have a law on their books, but industry groups say that that creates a tiresome “patchwork” of regulations for them to deal with. 

A federal notification standard on its own should be easy enough to pass, said David French, a top lobbyist with the National Retail Federation.

“I think what bogs this debate down and what has always bogged this debate down is a question of what else to add to that,” he said. “I think a lot of people have a lot of different ideas about other pieces of legislation that they’d like to see go along with that.”

Not everyone agrees even on the notification standard, however.

Consumer interest advocates fear that any national standard would lower the bar for companies by preempting tough state laws in places including California

Ed Mierzwinski, the consumer program director at the public interest group U.S. PIRG, blamed “institutional problems” in Congress for the lack of legislative progress.  But he added “the bigger problem is it's legislation that, once you examine it, is just not necessary because the states have already done it.”

While Congress stalls, some companies are moving forward on their own.

Since the data breach, Target has announced that it will speed up its switch to advanced credit cards with embedded microchips, which are more secure than American cards with a magnetic stripe.

Retail and financial industry groups have also gotten together to share information about possible cyber threats, which could help firms spot weak security points and prepare for an attack.

To do more, security advocates have pushed for the Senate to pass a more comprehensive cybersecurity bill.

That effort could face an uphill climb, however, amid possible opposition from civil liberties groups and others worrying that it would give too much power to the government. When the Senate last tried to pass a cyber bill in 2012, the effort failed to overcome a Republican filibuster.

“The same forces are at work” preventing progress on a larger hacking bill, said French, “and those forces are things like complexity and diverse committee jurisdiction.”

A spokeswoman with the Financial Services Roundtable, though, said the group was hopeful something could get done this year.

“We are just hoping to get this done before there is another attack,” Alison Hawkins said in an email.