Democratic lawmakers are banging the drum for harsher penalties against companies and executives that don’t protect people’s data after credit ratings agency Equifax was ordered to pay up to $700 million in a groundbreaking settlement yesterday for the 2017 data breach.
The calls reflect a prevailing belief in the Democratic Party that companies have played fast and loose for too long with the privacy and security of people’s data, analysts told me. But it will still be an extemely heavy lift to turn their ire into actual laws, they warned.
“The mood is a little more anti-corporate than it was four or five years ago, more pitchfork-y,” Justin Brookman, director of consumer privacy and technology policy for Consumer Reports and a former policy director at the Federal Trade Commission, told me.
Within hours of the settlement -- which was agreed to by attorneys general from 48 states as well as the District of Columbia and Puerto Rico -- Sens. Elizabeth Warren (Mass.) and Mark Warner (Va.) were pushing legislation. The bill, originally introduced in May, would impose harsh minimum penalties for breaches at credit ratings agencies and would have cost Equifax $1.5 billion if it was in place when that breach occurred.
Credit bureaus like Equifax collect your data whether you want them to or not, and they should face steep penalties for failing to secure that data. While I'm happy victims are being compensated, we need structural reforms and increased oversight so this never happens again. https://t.co/pted4Uya7s— Mark Warner (@MarkWarner) July 22, 2019
Sen. Ron Wyden (Ore.) was also pushing his proposed bill that would authorize criminal prosecutions and 20-year prison sentences for senior executives at companies that suffer data breaches. It would also allow the Federal Trade Commission to fine those companies up to 4 percent of their annual revenue.
Equifax knew its security was pitifully weak and yet did nothing to correct it, according to the FTC. In a just world, these executives would be going to jail.https://t.co/W0K6MwcRLT— Ron Wyden (@RonWyden) July 22, 2019
And House Energy and Commerce Committee Chairman Frank Pallone (N.J.) re-upped calls to give the FTC new authorities to impose penalties on companies that suffer data breaches.
The @FTC's settlement with Equifax does not come close to making consumers whole and, once again, shows the limitations on the FTC’s ability to seek strong penalties and effective redress for consumers. https://t.co/N1lmzutr0h— Rep. Frank Pallone (@FrankPallone) July 22, 2019
Right now, the regulator can only direct companies that have suffered data breaches to improve their security practices. It can penalize them only if they violate those directions – which Brookman told me effectively gives companies “one free bite at the apple.”
There's already momentum on Capitol Hill as lawmakers on both sides of the aisle have already pledged to work on comprehensive privacy legislation, after a slew of high-profile privacy failures at top tech companies and an expected record-breaking $5 billion fine for Facebook — which still wasn’t as high as the FTC had wanted, my colleague Tony Romm reported. Those who want new data breach penalties could hitch a ride on that effort, Michelle Richardson, director of the Center for Democracy and Technology’s Privacy and Data Project, told me.
But even bipartisan anger at Equifax and a slew of other companies that have suffered major data breaches in recent years — such as Yahoo, J.P. Morgan and the health insurer Anthem — are unlikely to produce an agreement on Capitol Hill, other analysts warned.
For one thing, efforts to produce new federal penalties could spark conflict with states that have their own data breach laws, Ari Schwartz, managing director for cybersecurity services at the law firm Venable, told me.
For years Congress has run into similar trouble simply trying to create a federal law mandating when consumers must be notified that their data was compromised.
It will also be difficult for Congress to create a uniform set of penalties for different types of companies that deal with different kinds of customer data, said Schwartz, who was formerly a top cybersecurity official at the White House and Commerce Department. Because Equifax deals in financial data, for example, it is regulated under a stricter set of laws than firms that don’t collect such data. There are similar laws governing medical and student data, but not general consumer data.
Finally, lawmakers eager to pass some form of privacy legislation might be wary that adding data security into the mix might “bog things down,” Schwartz said.
But there's one silver lining: The settlement does prove the punishments are already getting worse for data breaches even without legislation. Schwartz noted the size of breach settlements has grown significantly in recent years and the $700 million penalty for Equifax is sure to make a big impact on companies' behavior, he said.
“People will look back on the Equifax breach as a watershed,” Schwartz told me. “But I don’t think it’s going to have a huge impact on legislation.”
PINGED: Chinese tech giant Huawei may have violated U.S. export controls by secretly furnishing the North Korean government with equipment to build and maintain its wireless network, my colleagues Ellen Nakashima, Gerry Shih, and John Hudson report. The new link between North Korean and Huawei “is likely to fuel even deeper suspicion among Western nations contemplating whether to ban the company, in full or in part, from their next-generation 5G wireless networks,” they write.
Huawei masked its involvement with the North Koreans over the past eight years by partnering with Chinese state-owned firm Panda International Information Technology, according to company documents provided to The Post by former employees. The Commerce Department banned exports to Panda in 2014, which means any Huawei technology with U.S. components sold to North Koreans at that time would violate U.S. sanctions.
The Trump administration has banned Huawei from U.S. 5G networks and banned U.S. companies from selling software and parts to the Chinese firm -- but President Trump has wavered on how strictly to enforce that ban. Trump told reporters that his administration would look into the potential links between the company and North Korea.
President Trump: "I know all about the 5G... We're going to have the best 5G in the world just like we have everything else." pic.twitter.com/ODXThxJ3mm— The Hill (@thehill) July 22, 2019
“I know all about Huawei. I know all about 5G. we’re working on it. We’re going to have the best 5G in the world,” Trump told reporters. “We have companies that are now getting very strong in that department. Silicon Valley cannot be competed with … We don't need anything from anybody.”
PATCHED: 2020 presidential candidate Sen. Amy Klobuchar (D-Minn.) slammed Senate Majority Leader Mitch McConnell (R-Ky.) and the White House for blocking legislation to secure the upcoming elections in an interview with my colleague Robert Costa yesterday. Klobuchar echoed growing concerns from the U.S. intelligence community that Russia and other nations will ramp up election interference operations in 2020.
“I mean, why even go to the Senate if you actually are allowing elections to be corrupted? Why would you want it?” Klobuchar swiped. She added that Republicans in the Senate are “embarrassed” by their party’s leadership and “know it should go forward.”
Klobuchar also warned that preventing other election legislation, such as her Honest Ads Act, would open the door for foreign governments and other actors to manipulate voters online.
PWNED: Senate Democrats are using special counsel Robert S. Mueller III’s testimony in front of the Senate Intelligence Committee tomorrow to renew their crusade to pass a slew of election security reforms. Senate and House Democrats including Warner, the Senate Intelligence Committee vice chairman, will host a news conference today highlighting bipartisan proposals that they say McConnell “buried in the Senate’s legislative graveyard.”
McConnell has refused to allow votes on election security legislation, including a bill that would mandate that states use paper ballots that are tougher to hack than digital ones and another bill that would require online political ads to come with the same disclosures as print and broadcast media. Democrats say McConnell’s blockade threatens the security of the 2020 election, which intelligence leaders say Russia and other nations are likely to try to disrupt. Democrats launched a similar push in June to draw attention to the resistance of Republican leadership to the bipartisan bills.
-- Cybersecurity news from the public sector:
— Cybersecurity news from the private sector:
— Cybersecurity news from abroad:
- The International Conference on Cyber Security will take place at Fordham University in New York City through July 25.
- The Senate Judiciary will host an oversight hearing for the Federal Bureau of Investigation with Director Christopher A. Wray testifying at 10a.m.
- The House Appropriations Committee will host a hearing on the budget and oversight of the White House Office of Science and Technology Policy at 10:15 a.m. Wednesday.
- Mueller will go in front of the House Intelligence Committee to testify about the Investigation into Russian Interference in the 2016 Presidential Election on Wednesday at 12 p.m.
- The House Appropriations Committee will host a hearing on U.S. Customs and Border Protection Border Patrol Oversight on Wednesday at 2 p.m.
- The House Select Committee on the Modernization of Congress will host a hearing on lessons from the states in modernization at 2 p.m.