The United States is now facing what can only be described as a national data breach crisis.
Will Congress step in and fix it? Experts say don’t hold your breath.
Equifax revealed last week that as many as 143 million Americans, or nearly half the country, may have had their personal information compromised in a massive security breach.
This is not just another breach. The compromised data includes some of our most sensitive personal information: names, social security numbers, addresses, birth dates and some driver’s license numbers.
Lawmakers on both sides of the aisle were quick to express concerns.
Jeb Hensarling, a Repusblican Congressman from Texas and the chairman of the House Financial Services Committee, said Friday that preparations are already underway for a congressional hearing on the matter.
Senator Mark Warner, a Democrat and member of the Senate Banking Committee, called for a “uniform data breach notification standard.”
White House press secretary Sarah Huckabee Sanders said Monday that the administration would look “extensively” into whether additional regulation is needed to protect user data.
“We have to explore the best ways to make sure that Americans are protected in that sense,” she said at a press briefing.
But industry watchers don’t expect much to happen in Washington beyond talk.
“We still see no path to passage for meaningful data breach legislation in this Congress,” Isaac Boltansky, an analyst with Compass Point Research, wrote in a note Monday.
The problem, Boltansky told CNN Tech, is there are simply too many stakeholders. Financial firms, retailers, security companies and regulators “all have different goals” for data breach legislation. As an example, he says various parties might agree on the need for a notification standard but disagree on “which entity should bear the cost.”
“Like many things in D.C.,” Boltansky says, “there is broad support conceptually, but that support dissipates once the discussion shifts to specifics.”
Any legislative push on this issue is undermined by what DJ Patil, the former U.S. chief data scientist under President Obama, says is a lack of “technical expertise” in the White House and Congress.
A number of top White House technology and science positions, including the CTO role, remain unfilled. Several members of the White House cyber security council, including Patil, resigned last month in protest after Charlottesville.
“You don’t have a policy brain … keeping pressure on this problem to find a viable solution for everybody,” Patil says. “Not just a viable solution for today, but a viable solution as technology radically changes.”
Beyond that, there is the question of political will. The Republican Congress and White House has been focused on stripping away regulations this year.
Congress, with President Trump’s backing, scrapped Internet privacy protections and has moved to roll back the Dodd-Frank financial reform package put in place during the previous administration.
In fact, Washington’s push for deregulation received an early nod of approval from none other than the CEO of Equifax.
“If the Trump administration moves along the path of moderating regulation, that’s good for our customers and us,” Richard Smith, Equifax’s CEO, said in one February interview, focusing on the tougher Dodd-Frank rules Congress passed after the financial crisis.
Equifax spent $1.1 million on lobbying last year, according to data from the Center for Responsive Politics. It also gave another $165,000 in campaign contributions, the majority of which went to Republicans in the House and Senate.
“In the context of an anti-regulatory, corporate-oriented Congress, the inertia is all against taking steps to protect consumers,” says Robert Weissman, president of Public Citizen, a nonprofit government watchdog group. “We have to overcome that inertia.”
In July, the House voted to repeal a rule intended to make sure consumers can bring class action lawsuits against financial firms. The repeal effort, sitting in the Senate, has now gained renewed scrutiny thanks to Equifax. The credit firm initially forced customers to agree to arbitration in order to sign up for its credit monitoring service after the breach.
Sen. Elizabeth Warren tweeted that the “new rule would stop companies like @Equifax from avoiding legal accountability like this — as long as @GOP doesn’t reverse it.”
Weissman thinks it’s possible the “outrage” over Equifax could “tip the balance” and stop Republicans from repealing the class action rule. Longer term, he’s also optimistic that the damage piling up from data breaches will lead to legislation.
But, he added, “I’m skeptical that we’re there on this one.”