Congress punts hacker fight to 2015

Congress is punting the fight against hackers to next year. 

Lawmakers have indicated that they are already preparing ways to protect against the scourge of data breaches, even though they have largely failed to mount a successful response to major attacks at stores like Target and Home Depot.

{mosads}Privacy and digital security issues “are going to continue to be front and center, just because of the environment that we’re in,” Sen. John Thune (R-S.D.) told reporters last week. 

If Republicans win a majority in the upper chamber this November, Thune is likely to become chairman of the Senate Commerce Committee, one of the multiple panels with jurisdiction over data security.

“I suspect that that will be one of many issues that we’ll be looking at,” Thune said.

Republicans aren’t currently preparing any particular measure, he said, but “our folks on the committee have given a lot of consideration to things that we might do in the next Congress, if in fact we are in the majority.”

Senate Homeland Security Committee Chairman Tom Carper (D-Del.), leader of another panel with jurisdiction in the area, told The Hill that the recent record-setting Home Depot breach illustrates that the incidents are becoming “more frequent and more disruptive.”

“This is a growing problem and it’s time for Congress to update and streamline our standards for protecting Americans from fraud and identity theft,” Carper said in a statement.

Nearly one year ago, hackers broke into Target systems and stole information about 40 million shoppers’ credit and debit cards, prompting hearings in at least a half-dozen congressional committees and a flurry of new bills in both chambers.

Last week, Home Depot confirmed that hackers had also stolen data about from about 56 million cards used in their stores — 16 million more than Target’s massive breach.

In response to those hacks — as well as other incidents from JPMorgan Chase to eBay and the theft of hundreds of intimate photos of celebrities including Jennifer Lawrence and Kate Upton — Capitol Hill has responded with little more than talk.

“It’s clear that this threat to consumers isn’t going away,” Sen. Jay Rockefeller (D-W.Va.), the retiring chairman of the Commerce Committee, said in a statement. “With the data of millions more at risk, Americans should start asking their senators and representatives why there are no basic protections in place to safeguard them.” 

Congress has tried before, most recently in the wake of the Target hack. And Home Depot adds a newer dynamic to the mix.

“This is going to be even more of an impact than Target in terms of impacting our members and consumers and credit unions,” said the National Association of Federal Credit Union’s Carrie Hunt, senior vice president of government affairs and general counsel.

The Target fallout pitted banks and credit unions against the retail industry, with each side pointing the finger at who should pick up the tab for replacing the millions of dollars it costs to replace consumer cards. 

The blame game ended in a rare merging of political policy foes. Both industries, led by the Financial Services Roundtable and Retail Industry Leaders Association, collaborated to form an center for sharing information with each other, in order to protect against possible vulnerabilities. 

But Congress still has a role to play. One popular proposed remedy, which was the subject of multiple lawmakers’ bills, is the creation of a national standard for notifying people after their data my have been stolen.

Forty-seven states and the District of Columbia have enacted their own data breach notification laws, according to the National Conference of State Legislatures, but none exists at the federal level. Companies complain that leaves them with a dizzying maze of rules to deal with.

“That creates unnecessary complexity and risk in terms of getting the notices out to people,” said Mallory Duncan, senior vice president at the National Retail Federation, a major trade group.

Other proposals would give the Federal Trade Commission more power to oversee how companies protect people’s data, but industry groups have largely prickled at the notion of having the government set standards on evolving technology. 

The Electronic Transaction Association (ETA), whose members include American Express, MasterCard and Visa, is cautious against new regulations, fearing that it would only add to state regulations and not be able to keep up with new technology.

“Self-regulatory guidelines effectively ensure that consumer data is secure,” said ETA spokeswoman Meghan M. Cieslak.