“Companies need to feel pain,” said Liz Coyle, the executive director of Georgia Watch, an advocacy group for protecting consumers. “You think about Equifax being the victims of the data breach. We were the victims; half the country were victims. The consequences need to be much greater.”
Meanwhile, breaches seem to keep getting bigger. In 2014 alone, credit card data for 40 million Target customers, more than 50 million Home Depot shoppers and 76 million JPMorgan Chase households was compromised. In 2015, news emerged that the government’s own servers were hacked, exposing the records of 18 million people who had applied for federal jobs. And while most breaches are conducted by criminal organizations, others have been tied to state-sponsored groups, such as the 2016 breach at the Democratic National Committee viewed by the intelligence community as a Russian attempt to influence the presidential election.
So far, elected officials from Washington to Atlanta have yet to take significant action. But there is cautious optimism among backers of a federal cybersecurity law that the Equifax hack — among the largest ever, involving some 143 million Americans, including 5 million Georgians — could change that.
“I’d like to think the Equifax disaster gives that a push in the right direction,” said U.S. Sen. Roy Blunt, R-Mo.
For years, he has pushed for bipartisan legislation that would set national data security standards for companies and direct them on how to notify consumers if there’s a breach.
Equifax has not responded to media requests since the breach. However, it has published a statement blaming a flaw in open-source software called Apache Struts for allowing criminals to access the data. The Apache Foundation, which oversees the software, said a patch for the flaw had been issued months before the hack but Equifax hadn’t installed it.
Few federal rules
As more and more companies collect personal information on consumers and store them on computers linked to the internet, targets available for hackers have grown exponentially.
Since 2005, there have been 7,679 data breaches that are publicly known with more than 1 billion records breached, according to the Privacy Rights Clearinghouse, a California-based nonprofit that advocates for consumer privacy rights.
But few companies are as target-rich as Equifax. The company and its subsidiaries know practically everything about you. And data it has amassed and sells to banks, lenders and the government influence your ability to take out a loan, get a job, receive federal benefits such as Medicaid — even to win national security clearances.
Since the web’s infancy in the 1990s, Washington has generally avoided regulating the collection of personal data out of fear of stifling growth, said James Lewis, a cybersecurity expert at the Washington think tank the Center for Strategic and International Studies.
“You have this history of no rules on the internet, and that’s part of why it’s the Wild West,” Lewis said.
Countless legislative efforts in recent years have also sputtered due to opposition from companies and a thicket of diverse and powerful interest groups all demanding different things.
President Barack Obama pushed several bills, only to watch them crash and burn. Eventually he signed an executive order aiming to protect data through voluntary efforts involving federal agencies and the owners of privately owned companies such as utilities designated as critical infrastructure.
He also directed all federal agencies to use the full extent of their existing authorities and apply them to cybersecurity.
FTC steps in
The Federal Trade Commission became one of the prime federal enforcers of data security through its authority to protect consumers against unfair and deceptive practices. Enforcement actions largely targeted businesses where systemic and repeated personal data security breaches occurred.
“We did an enormous amount. We brought over 60 important cases,” said Jessica Rich, the former director of the FTC’s Bureau of Consumer Protection during the second half of the Obama administration, who recently joined Consumer Reports as vice president of consumer policy and mobilization.
Some of the most high-profile FTC cases have been against Georgia companies. ChoicePoint, an Alpharetta-based consumer data broker company, settled a 2006 case with the FTC levying penalties and consumer redress payments totaling $15 million for a case involving identity theft of at least 800 people in a data breach of 163,000 consumers.
Still, Rich said the FTC could do more with stronger tools, such as civil penalties authority.
While the FTC has power to issue penalties in certain circumstances, Rich said there needs to be a single, comprehensive law related to cybersecurity. Currently, she said, “each law that exists has gaps.” And in some situations, such as with nonprofits and some telecommunications companies, the FTC has no jurisdiction in cybersecurity cases.
The Trump administration for now has picked up where Obama left off, Lewis said, despite a broader push to cut back on federal red tape. President Donald Trump has kept Obama's governmentwide actions in place and issued an executive order in May seeking to bolster the government's own cyberdefenses.
Last week, Trump’s press secretary, Sarah Huckabee Sanders, indicated the huge scale of the Equifax hack could mean new rules may be needed. “I think this is something we have to look into extensively,” she said.
In the absence of congressional action, most states have adopted security breach notification laws. In most states, the laws require companies to notify consumers. Some also require reports to state officials.
Georgia’s law, first adopted in 2005, requires companies to notify consumers who’ve had their personal information breached. The law does not state a specific deadline for notice, does not require the company to notify state regulators, and does not provide for financial penalties for companies that fail to properly notify.
Coyle, with Georgia Watch, thinks the state needs to do more. “We know this is a big problem for Georgia consumers,” she said.
But even when states have laws that require companies to implement reasonable security measures and practices, there’s not much evidence those laws lead companies to act differently.
“What has become clear over the past few years is that companies have yet to internalize risk that does affect consumers,” said David Forscey, a policy analyst with the National Governors Association who has studied cybersecurity regulation. “There have not been many strict enforcement actions against companies.”
Some say a national fix is needed.
“One of the challenges for companies is how do they keep up with all the myriad state laws,” said Megan Stifel, a cybersecurity expert at the think tank the Atlantic Council. “It could be the standard differs based on the number or documents or victims’ records — the standards are all over the map.”
The lack of clearly spelled-out federal law around protecting personal information and cybersecurity leaves companies guessing about standards, said Michael Vatis, a Washington-based attorney with the firm Steptoe & Johnson who specializes in helping companies navigate cybersecurity issues.
“The federal government and state governments have taken a largely hands-off approach,” he said. “Then they come down hard on the company, and they are victimized twice, first by the hackers and then they’re made a showcase for the government.”
The road ahead
Despite swift and widespread condemnation of Equifax following the hack, it’s still unclear whether the mammoth breach will lead to any policy changes.
Multiple congressional committees — as well as the FTC — have announced inquiries. A bipartisan coalition of attorneys general from 36 states, including Georgia, have formed a joint investigation.
Senators who have long been advocating for their own cybersecurity bills have begun dusting off their old drafts and renewing discussions about a broad plan that could win the support of enough colleagues.
“We’ve talked a good game for years now about protecting sensitive data, about investigations when there’s a breach, about notification,” said U.S. Sen. Tom Carper, D-Del., who has worked with Missouri’s Blunt for years on a cybersecurity bill. “We’ve got to stop talking about it and do something.”
More tailored bills have also emerged since the hack became public. U.S. Sen. Ron Wyden, D-Ore., for example, introduced a measure that would guarantee all Americans the use of personal identification numbers to freeze and unfreeze their credit for free.
Fault lines have also emerged.
Some libertarian-leaning Republicans, such as U.S. Sen. Rand Paul, R-Ky., say the government should not be telling private companies such as Equifax what they can and cannot do. Athens-area Republican Congressman Jody Hice said he wanted to hear more about what happened with Equifax before recommending policy, but that “as a general rule, companies like that have got to police themselves or they’re going to lose business.”
Many other Georgia congressmen have tread carefully after the hack, urging their colleagues to hear from Equifax's top executives before considering next steps.
“If you make those decisions before you investigate, you’re going to do the wrong thing,” said U.S. Sen. Johnny Isakson, R-Ga.
Some consumer advocates want to see uniform protections across the country, which would require strong enforcement at the federal level. Henry Turner, a Decatur attorney who has fought for consumers, said the FTC and the Consumer Finance Protection Bureau should be properly empowered to rein in credit reporting agencies. “For years the credit bureaus, the oligopoly, have spent a fortune lobbying to prevent that from happening,” he said.
Other consumer advocates fear that special-interest groups will end up weakening the current law.
“Industry lobbyists are already circling the Hill … to pass a version of their long-festering, industry-backed efforts to pass weak federal data breach rules that take away stronger state protections,” said Ed Mierzwinski, the consumer program director with the U.S. Public Interest Research Group.
Meanwhile, business advocates say that imposing stiff penalties for breaches wouldn’t be fair. Hacks are now common, and even companies that do everything right can be victimized, said Gilbert Schwartz, a Washington- based attorney who represents financial services clients.
“It’s something we’re all going to be dealing with for the foreseeable future,” he said. “Folks are going to have to get used to their information is at risk.”
Business columnist Matt Kempner contributed to this article.