The massive data breach at the Atlanta-based credit reporting firm Equifax has thrust into the spotlight the country’s patchwork system of cybersecurity rules and laws that often allow businesses to escape significant penalties for leaving sensitive consumer information at risk.
Congress has done little over the past two decades to put broad standards in place for how companies with reams of personal online data, including Social Security numbers and credit records, should be protecting it or how swiftly consumers should be notified in the event of a breach.
Disputes among privacy experts, bankers, retailers and consumer protection groups have created an impasse on Capitol Hill that’s left most comprehensive legislation on the back burner. In the meantime, rules for companies such as Equifax that make a business out of handling personal information have remained lax.
States have stepped in, but most in a fairly narrow capacity. Forty-eight of them, including Georgia, have laws governing how and when companies should notify consumers and state government officials if sensitive information has been hacked.
Consumer protection groups point out there is often little, though, to encourage companies to lock up their data in the first place. Only about a dozen states have laws that govern standards for cybersecurity at private companies. Georgia is not one of them. And while some states have penalties associated with their breach laws, Georgia does not.
“Companies need to feel pain,” said Liz Coyle, the executive director of Georgia Watch, an advocacy group for protecting consumers. “You think about Equifax being the victims of the data breach. We were the victims; half the country were victims. The consequences need to be much greater.”
Meanwhile, breaches seem to keep getting bigger. In 2014 alone, credit card data for 40 million Target customers, more than 50 million Home Depot shoppers and 76 million JPMorgan Chase households was compromised. In 2015, news emerged that the government’s own servers were hacked, exposing the records of 18 million people who had applied for federal jobs. And while most breaches are conducted by criminal organizations, others have been tied to state-sponsored groups, such as the 2016 breach at the Democratic National Committee viewed by the intelligence community as a Russian attempt to influence the presidential election.
So far, elected officials from Washington to Atlanta have yet to take significant action. But there is cautious optimism among backers of a federal cybersecurity law that the Equifax hack — among the largest ever, involving some 143 million Americans, including 5 million Georgians — could change that.
“I’d like to think the Equifax disaster gives that a push in the right direction,” said U.S. Sen. Roy Blunt, R-Mo.
For years, he has pushed for bipartisan legislation that would set national data security standards for companies and direct them on how to notify consumers if there’s a breach.
Equifax has not responded to media requests since the breach. However, it has published a statement blaming a flaw in open-source software called Apache Struts for allowing criminals to access the data. The Apache Foundation, which oversees the software, said a patch for the flaw had been issued months before the hack but Equifax hadn’t installed it.
Few federal rules
As more and more companies collect personal information on consumers and store them on computers linked to the internet, targets available for hackers have grown exponentially.
Since 2005, there have been 7,679 data breaches that are publicly known with more than 1 billion records breached, according to the Privacy Rights Clearinghouse, a California-based nonprofit that advocates for consumer privacy rights.
But few companies are as target-rich as Equifax. The company and its subsidiaries know practically everything about you. And data it has amassed and sells to banks, lenders and the government influence your ability to take out a loan, get a job, receive federal benefits such as Medicaid — even to win national security clearances.
Since the web’s infancy in the 1990s, Washington has generally avoided regulating the collection of personal data out of fear of stifling growth, said James Lewis, a cybersecurity expert at the Washington think tank the Center for Strategic and International Studies.
“You have this history of no rules on the internet, and that’s part of why it’s the Wild West,” Lewis said.
Countless legislative efforts in recent years have also sputtered due to opposition from companies and a thicket of diverse and powerful interest groups all demanding different things.
President Barack Obama pushed several bills, only to watch them crash and burn. Eventually he signed an executive order aiming to protect data through voluntary efforts involving federal agencies and the owners of privately owned companies such as utilities designated as critical infrastructure.
He also directed all federal agencies to use the full extent of their existing authorities and apply them to cybersecurity.
FTC steps in
The Federal Trade Commission became one of the prime federal enforcers of data security through its authority to protect consumers against unfair and deceptive practices. Enforcement actions largely targeted businesses where systemic and repeated personal data security breaches occurred.
“We did an enormous amount. We brought over 60 important cases,” said Jessica Rich, the former director of the FTC’s Bureau of Consumer Protection during the second half of the Obama administration, who recently joined Consumer Reports as vice president of consumer policy and mobilization.
Some of the most high-profile FTC cases have been against Georgia companies. ChoicePoint, an Alpharetta-based consumer data broker company, settled a 2006 case with the FTC levying penalties and consumer redress payments totaling $15 million for a case involving identity theft of at least 800 people in a data breach of 163,000 consumers.
Still, Rich said the FTC could do more with stronger tools, such as civil penalties authority.
While the FTC has power to issue penalties in certain circumstances, Rich said there needs to be a single, comprehensive law related to cybersecurity. Currently, she said, “each law that exists has gaps.” And in some situations, such as with nonprofits and some telecommunications companies, the FTC has no jurisdiction in cybersecurity cases.
The Trump administration for now has picked up where Obama left off, Lewis said, despite a broader push to cut back on federal red tape. President Donald Trump has kept Obama’s governmentwide actions in place and issued an executive order in May seeking to bolster the government’s own cyberdefenses.
Last week, Trump’s press secretary, Sarah Huckabee Sanders, indicated the huge scale of the Equifax hack could mean new rules may be needed. “I think this is something we have to look into extensively,” she said.
In the absence of congressional action, most states have adopted security breach notification laws. In most states, the laws require companies to notify consumers. Some also require reports to state officials.
Georgia’s law, first adopted in 2005, requires companies to notify consumers who’ve had their personal information breached. The law does not state a specific deadline for notice, does not require the company to notify state regulators, and does not provide for financial penalties for companies that fail to properly notify.
Coyle, with Georgia Watch, thinks the state needs to do more. “We know this is a big problem for Georgia consumers,” she said.
But even when states have laws that require companies to implement reasonable security measures and practices, there’s not much evidence those laws lead companies to act differently.
“What has become clear over the past few years is that companies have yet to internalize risk that does affect consumers,” said David Forscey, a policy analyst with the National Governors Association who has studied cybersecurity regulation. “There have not been many strict enforcement actions against companies.”
Some say a national fix is needed.
“One of the challenges for companies is how do they keep up with all the myriad state laws,” said Megan Stifel, a cybersecurity expert at the think tank the Atlantic Council. “It could be the standard differs based on the number or documents or victims’ records — the standards are all over the map.”
The lack of clearly spelled-out federal law around protecting personal information and cybersecurity leaves companies guessing about standards, said Michael Vatis, a Washington-based attorney with the firm Steptoe & Johnson who specializes in helping companies navigate cybersecurity issues.
“The federal government and state governments have taken a largely hands-off approach,” he said. “Then they come down hard on the company, and they are victimized twice, first by the hackers and then they’re made a showcase for the government.”
The road ahead
Despite swift and widespread condemnation of Equifax following the hack, it’s still unclear whether the mammoth breach will lead to any policy changes.
Multiple congressional committees — as well as the FTC — have announced inquiries. A bipartisan coalition of attorneys general from 36 states, including Georgia, have formed a joint investigation.
Senators who have long been advocating for their own cybersecurity bills have begun dusting off their old drafts and renewing discussions about a broad plan that could win the support of enough colleagues.
“We’ve talked a good game for years now about protecting sensitive data, about investigations when there’s a breach, about notification,” said U.S. Sen. Tom Carper, D-Del., who has worked with Missouri’s Blunt for years on a cybersecurity bill. “We’ve got to stop talking about it and do something.”
More tailored bills have also emerged since the hack became public. U.S. Sen. Ron Wyden, D-Ore., for example, introduced a measure that would guarantee all Americans the use of personal identification numbers to freeze and unfreeze their credit for free.
Fault lines have also emerged.
Some libertarian-leaning Republicans, such as U.S. Sen. Rand Paul, R-Ky., say the government should not be telling private companies such as Equifax what they can and cannot do. Athens-area Republican Congressman Jody Hice said he wanted to hear more about what happened with Equifax before recommending policy, but that “as a general rule, companies like that have got to police themselves or they’re going to lose business.”
Many other Georgia congressmen have tread carefully after the hack, urging their colleagues to hear from Equifax’s top executives before considering next steps.
“If you make those decisions before you investigate, you’re going to do the wrong thing,” said U.S. Sen. Johnny Isakson, R-Ga.
Some consumer advocates want to see uniform protections across the country, which would require strong enforcement at the federal level. Henry Turner, a Decatur attorney who has fought for consumers, said the FTC and the Consumer Finance Protection Bureau should be properly empowered to rein in credit reporting agencies. “For years the credit bureaus, the oligopoly, have spent a fortune lobbying to prevent that from happening,” he said.
Other consumer advocates fear that special-interest groups will end up weakening the current law.
“Industry lobbyists are already circling the Hill … to pass a version of their long-festering, industry-backed efforts to pass weak federal data breach rules that take away stronger state protections,” said Ed Mierzwinski, the consumer program director with the U.S. Public Interest Research Group.
Meanwhile, business advocates say that imposing stiff penalties for breaches wouldn’t be fair. Hacks are now common, and even companies that do everything right can be victimized, said Gilbert Schwartz, a Washington- based attorney who represents financial services clients.
“It’s something we’re all going to be dealing with for the foreseeable future,” he said. “Folks are going to have to get used to their information is at risk.”
Business columnist Matt Kempner contributed to this article.