Congress is taking a break to hit the campaign trail for the next four weeks. While we’ve managed to avoid a federal government shutdown, they leave with other unfinished business on their plates. One of those items is data breach legislation.
Recently, Yahoo announced that the accounts of 500 million users were hacked in 2014 and reports indicate that the total number of affected accounts may top 1 billion. Yahoo account holder information, including names, email addresses, telephone numbers, birth dates, encrypted passwords and even answers to security questions, were ripped off by a state-sponsored actor – believed to be Russia. Reports first surfaced when a thief posted on a website that he was selling credentials for 200 million Yahoo users for a basement sale price of just $1,800.
This is likely the biggest data breach in history and it has prompted Congress to consider legislation to protect consumers and add accountability for companies that collect private information.
A number of bills that are floating around both houses of Congress enjoy support from various constituencies. So far, lawmakers have yet to coalesce around a single bill, but Republican senator John Thune thinks this Yahoo data breach is the nudge they needed to get something done:
“We haven’t hit that sweet spot quite yet, but we’re close. I’m hoping this revelation about Yahoo will provide the needed impetus to get across the finish line,” Sen. John Thune (R-S.D.) told reporters this week.
In the upper chamber, Sens. Tom Carper (D-Del.) and Roy Blunt (R-Mo.) have put forward a bill that has support from the financial services industry. Commerce Committee ranking member Bill Nelson (D-Fla.) has put forward a similar offering that mirrors a White House proposal.
Sen. Mark Warner (D-Va.) is also circulating a data breach proposal that has yet to be formally introduced but is drawing early support from the retail industry.
Meanwhile, Judiciary Committee ranking member Patrick Leahy (D-Vt.), along with five other Democrats, introduced an offering seen as the preferred option of privacy and consumer advocates.
The picture is equally complicated in the House, where negotiations to merge a companion to the Carper-Blunt offering with an Energy and Commerce Committee proposal supported by retailers have apparently stalled.
There are several problems with this effort though.
First, should a sweeping federal bill trump the current state regulations? (National) retailers are supportive of eliminating state-by-state regulations, for example. However, states tend to have the best local knowledge about their industries. Isn’t it better to leave it to them?
Second and related to this, how will one bill address the differences across industries? Some industries collect more private data from their customers than others. How can one piece of legislation address the responsibilities of companies in every industry? App-based companies and your local Subway restaurant both have access to your credit cards and financial information, but we can agree how much they handle and what they do with it is very different.
Third, big businesses and small businesses do not and cannot respond to data breaches in the same ways. A small business owner with just one employee likely doesn’t possess the resources to fight cybercrime that multi-million or a multi-billion company does. How can we be sure that the expectations of both are not burdensome in either case?
Other considerations include whether proposed bills would weaken consumer protections and whether some companies could slip through the cracks – escaping regulation altogether.
Thune acknowledged the stickiness of the situation, noting:
“We’ve been really close, but it’s complicated and there are a lot of different stakeholders that have different equities in this.”
The challenge is how to address all of these concerns.
Perhaps this is an indication that a one-size-fits all solution is not the best course of action. When dangerous or egregious situations occur such as the Yahoo data breach, Washington’s machine (from elected officials to bureaucrats) feels the pressure to act in hopes that they can prevent the a similar episode from recurring. There is no guarantee that any one bill will do enough. Furthermore, cyber thieves are smart and always using ever-evolving technology to stay ahead of authorities.
And let’s not forget that the federal government is far from the shining example of how to address cyber security, protect private information, or respond with celerity to data breaches. Just ask the 20 million current and former federal workers whose data was nabbed from the Office of Personnel Management.