If at any point last year you thought all the blustering in US Congress over the Equifax breach would result in anything meaningful, let me be the first to say: You must be new here.
Sure, it was cathartic watching Equifax executives get smacked around on live television by lawmakers who, only a few short months ago, seemed really upset and determined on behalf of the 145 million consumers whose private information was imperiled. And when in November, Todd Wilkinson, CEO of Entrust Datacard, told a Senate panel that using Social Security numbers as a means of authentication was an antiquated and inefficient system that only abets identity thieves, we all cheered; finally someone with the ear of a powerful group of lawmakers was saying it right.
But nearly four months have gone by since Equifax disclosed its breach — 41 days after the company discovered it - and the enthusiasm lawmakers initially displayed to address the lack of a federal law to protect consumers is clearly sputtering out. While at least a half-dozen bills were introduced between the House and Senate since September, not a one appears to be viable.
Politico reported Monday that the data-breach issue had been essentially brushed aside while the Republican-controlled Congress turned its attention toward the tax code overhaul and a short-term spending bill aimed at averting a government shutdown. A long-running team of US senators who've been eyeing a national breach-notification law for years has put their work on hold, for now, the report said.
"Every time another shoe falls, I think, 'Ah, this is it. This will get us galvanised and pull together and march in the same direction,'" Sen. Tom Carper, a Democrat of Delaware and member of that group, told Politico. "Hasn't happened yet," he added.
There are presently 48 separate data-breach laws, including ones for the US territories of Guam, Puerto Rico, and the Virgin Islands. Some states have specific requirements, such as notifying consumers within a certain number of days (the average is around 45 days), while others are more vague. That means a company with customers across the US would potentially have to comb through dozens of laws before responding to a breach. This messy patchwork, as it is often regarded, can leave companies scrambling to respond appropriately once a breach is detected.
The Data Security and Breach Notification Act, reintroduced last month by three Senate Democrats, would require companies to notify consumers within 30 days under a number of circumstances, such as in the event of Social Security numbers being compromised, even if they aren't paired with other identifying information. The bill's requirements also extend to cover driver's licence numbers, biometric data, passwords, and other data combinations — a home address and date of birth, for instance.
Politico reported that "jurisdictional issues" have thrown a wrench in the works, with Sen. Mark Warner reportedly singling-out the telecom industry. He signalled that while all businesses must be covered under a federal breach law, it may be "tailored" to individual industries — some of which are already held to privacy-specific regulations.
Rep. Jan Schakowsky, Democrat of Illinois, told Politico that every member of Congress has constituents affected by data breaches, citing the large-scale incidents at Target and Equifax specifically. "[Y]ou would think that they would be interested in moving ahead," she said.