THE KEY

Democratic lawmakers are banging the drum for harsher penalties against companies and executives that don’t protect people’s data after credit ratings agency Equifax was ordered to pay up to $700 million in a groundbreaking settlement yesterday for the 2017 data breach. 

The calls reflect a prevailing belief in the Democratic Party that companies have played fast and loose for too long with the privacy and security of people’s data, analysts told me. But it will still be an extemely heavy lift to turn their ire into actual laws, they warned. 

“The mood is a little more anti-corporate than it was four or five years ago, more pitchfork-y,” Justin Brookman, director of consumer privacy and technology policy for Consumer Reports and a former policy director at the Federal Trade Commission, told me. 

Within hours of the settlement -- which was agreed to by attorneys general from 48 states as well as the District of Columbia and Puerto Rico -- Sens. Elizabeth Warren (Mass.) and Mark Warner (Va.) were pushing legislation. The bill, originally introduced in May, would impose harsh minimum penalties for breaches at credit ratings agencies and would have cost Equifax $1.5 billion if it was in place when that breach occurred.

Sen. Ron Wyden (Ore.) was also pushing his proposed bill that would authorize criminal prosecutions and 20-year prison sentences for senior executives at companies that suffer data breaches. It would also allow the Federal Trade Commission to fine those companies up to 4 percent of their annual revenue.

And House Energy and Commerce Committee Chairman Frank Pallone (N.J.) re-upped calls to give the FTC new authorities to impose penalties on companies that suffer data breaches.

Right now, the regulator can only direct companies that have suffered data breaches to improve their security practices. It can penalize them only if they violate those directions – which Brookman told me effectively gives companies “one free bite at the apple.”  

There's already momentum on Capitol Hill as lawmakers on both sides of the aisle have already pledged to work on comprehensive privacy legislation, after a slew of high-profile privacy failures at top tech companies and an expected record-breaking $5 billion fine for Facebook — which still wasn’t as high as the FTC had wanted, my colleague Tony Romm reported. Those who want new data breach penalties could hitch a ride on that effort, Michelle Richardson, director of the Center for Democracy and Technology’s Privacy and Data Project, told me. 

But even bipartisan anger at Equifax and a slew of other companies that have suffered major data breaches in recent years — such as Yahoo, J.P. Morgan and the health insurer Anthem — are unlikely to produce an agreement on Capitol Hill, other analysts warned.

For one thing, efforts to produce new federal penalties could spark conflict with states that have their own data breach laws, Ari Schwartz, managing director for cybersecurity services at the law firm Venable, told me.

For years Congress has run into similar trouble simply trying to create a federal law mandating when consumers must be notified that their data was compromised. 

It will also be difficult for Congress to create a uniform set of penalties for different types of companies that deal with different kinds of customer data, said Schwartz, who was formerly a top cybersecurity official at the White House and Commerce Department. Because Equifax deals in financial data, for example, it is regulated under a stricter set of laws than firms that don’t collect such data. There are similar laws governing medical and student data, but not general consumer data. 

Finally, lawmakers eager to pass some form of privacy legislation might be wary that adding data security into the mix might “bog things down,” Schwartz said.

But there's one silver lining: The settlement does prove the punishments are already getting worse for data breaches even without legislation. Schwartz noted the size of breach settlements has grown significantly in recent years and the $700 million penalty for Equifax is sure to make a big impact on companies' behavior, he said.  

“People will look back on the Equifax breach as a watershed,” Schwartz told me. “But I don’t think it’s going to have a huge impact on legislation.”

PINGED, PATCHED, PWNED

PINGED: Chinese tech giant Huawei may have violated U.S. export controls by secretly furnishing the North Korean government with equipment to build and maintain its wireless network, my colleagues Ellen Nakashima, Gerry Shih, and John Hudson report. The new link between North Korean and Huawei “is likely to fuel even deeper suspicion among Western nations contemplating whether to ban the company, in full or in part, from their next-generation 5G wireless networks,” they write.

 Huawei masked its involvement with the North Koreans over the past eight years by partnering with Chinese state-owned firm Panda International Information Technology, according to company documents provided to The Post by former employees. The Commerce Department banned exports to Panda in 2014, which means any Huawei technology with U.S. components sold to North Koreans at that time would violate U.S. sanctions. 

The Trump administration has banned Huawei from U.S. 5G networks and banned U.S. companies from selling software and parts to the Chinese firm -- but President Trump has wavered on how strictly to enforce that ban. Trump told reporters that his administration would look into the potential links between the company and North Korea.

“I know all about Huawei. I know all about 5G. we’re working on it. We’re going to have the best 5G in the world,” Trump told reporters. “We have companies that are now getting very strong in that department. Silicon Valley cannot be competed with … We don't need anything from anybody.”

PATCHED: 2020 presidential candidate Sen. Amy Klobuchar (D-Minn.) slammed Senate Majority Leader Mitch McConnell (R-Ky.) and the White House for blocking legislation to secure the upcoming elections in an interview with my colleague Robert Costa yesterday. Klobuchar echoed growing concerns from the U.S. intelligence community that Russia and other nations will ramp up election interference operations in 2020.

“I mean, why even go to the Senate if you actually are allowing elections to be corrupted? Why would you want it?” Klobuchar swiped. She added that Republicans in the Senate are “embarrassed” by their party’s leadership and “know it should go forward.”

Klobuchar also warned that preventing other election legislation, such as her Honest Ads Act, would open the door for foreign governments and other actors to manipulate voters online.

PWNED: Senate Democrats are using special counsel Robert S. Mueller III’s testimony in front of the Senate Intelligence Committee tomorrow to renew their crusade to pass a slew of election security reforms. Senate and House Democrats including Warner, the Senate Intelligence Committee vice chairman, will host a news conference today highlighting bipartisan proposals that they say McConnell “buried in the Senate’s legislative graveyard.”

McConnell has refused to allow votes on election security legislation, including a bill that would mandate that states use paper ballots that are tougher to hack than digital ones and another bill that would require online political ads to come with the same disclosures as print and broadcast media. Democrats say McConnell’s blockade threatens the security of the 2020 election, which intelligence leaders say Russia and other nations are likely to try to disrupt. Democrats launched a similar push in June to draw attention to the resistance of Republican leadership to the bipartisan bills.

PUBLIC KEY

-- Cybersecurity news from the public sector:

The president's get-together with the top House Intelligence Republican has fueled more chatter that Dan Coats may be on his way out.
Politico
President Trump agreed to grant timely licensing decisions to U.S. technology companies that want to continue lucrative sales to Huawei Technologies, as the administration seeks to restart trade talks with China.
Wall Street Journal
President Donald Trump agreed at a meeting with the heads of top technology comp...
Reuters
The emails show that CBP didn't know what was in the Perceptics breach until weeks after the media initially reported it.
Vice
The legislation would set “reasonable” security measures for the numerous IT systems that power our increasingly connected vehicles.
NextGov
PRIVATE KEY

— Cybersecurity news from the private sector:

Norsk Hydro, one of the world's largest aluminum producers, said a cyber at...
Reuters
"We recently notified some parents... about a technical error," Facebook said
The Verge
Some customer backup files were encrypted, delaying recovery operations. Outage has now reached a week.
ZDNet
THE NEW WILD WEST

— Cybersecurity news from abroad:

Britain on Monday postponed a decision on whether Huawei could participate in bu...
Reuters
ZERO DAYBOOK

Today:

Coming up:

  • The House Appropriations Committee will host a hearing on the budget and oversight of the White House Office of Science and Technology Policy at 10:15 a.m. Wednesday.
  • Mueller will go in front of the House Intelligence Committee to testify about the Investigation into Russian Interference in the 2016 Presidential Election on Wednesday at 12 p.m.
  • The House Appropriations Committee will host a hearing on U.S. Customs and Border Protection Border Patrol Oversight on Wednesday at 2 p.m.
  • The House Select Committee on the Modernization of Congress will host a hearing on lessons from the states in modernization at 2 p.m.