Sen. John D. Rockefeller, D-W.Va., is voicing deep frustration about the inability of Congress to pass meaningful legislation aimed at ramping up protecting personal information from cyber attacks.
Congress has been trying to broaden consumer protection from data breaches through legislation since at least 2012. Two bills dealing with the issue are pending in the Senate, and a House subcommittee passed similar legislation in January.
At a hearing Wednesday on the issue before the Senate Committee on Commerce, Science & Transportation he heads, Rockefeller said that while Congress deserves its share of the blame for inaction, but “I am increasingly frustrated by industry’s disingenuous attempts at negotiations.
“It’s time for industry to work with us on legislation that reinforces the basic protections American consumers have a right to count on,” he said.
Rockefeller also noted that one company he asked to testify at the hearing, Snapchat, refused to appear. Snapchat, and other companies such as Wickr and Frankly, provide “ephemeral messaging apps.” These companies advertise that your photo, message or update will only be accessible for a short period, and are emerging growth companies. Snapchat and Frankly, for example, claim they permanently delete messages, photos and videos after 10 seconds. After that, there’s no record.
Snapchat was hit with a broad security breach in early January, with a hacker boasting that he had accessed 4.6 million Snapchat accounts. The leak allowed explicit photos, mostly of younger women sent by Snapchat subscribers, to be displayed on the Internet.
“When people refuse to testify in front of this committee, instinct tells me they are hiding something,” Rockefeller said. “In this instance, on this subject, I think it warrants closer scrutiny.”
Rockefeller and his staff declined repeatedly to comment on the issue. But in the view of industry officials and committee staffers, Rockefeller’s comments at the hearing reflected his concern that the magnitude of the breach and the type of material released justified public accountability.
The opposition to cyber protection legislation is being led by thousands of websites, including Craigslist and Reddit. They argue that the legislative proposals fail to protect the privacy of Internet users.
The effort is organized by the Electronic Frontier Foundation and the Internet Defense League, an organization of Internet activists who led an online outcry last year that led to the defeat of anti-piracy legislation introduced in the House known as SOPA.
In 2012, legislation known as the Cyber Intelligence Sharing and Protection Act, or CISPA, failed in the Senate due to similar opposition. The opponents argued that it would erode privacy on the web by encouraging the growth of a public-private partnership between internet companies and the federal government.
Rockefeller’s bill, the Cybersecurity Act of 2013, S. 1976, would establish federal consumer data security and breach notification standards. It would do so by directing the Federal Trade Commission (FTC) to circulate rules requiring companies to adopt reasonable, but strong, security protocols; require companies to notify affected consumers in the wake of a breach; and authorize both the FTC and state attorneys general to seek civil penalties for violations of the law.
Sen. John Thune, R-S.D., ranking minority member of the panel, has his own bill, the Data Security and Breach Notification Act of 2013, S. 1193. It would require companies possessing personal data to notify consumers in a timely manner if their information has been unlawfully taken.
He said his bill would establish uniform federal breach notification standard that replace the patchwork of laws in 46 states and the District of Columbia. “A single federal standard would ensure all consumers are treated the same with regard to notification of data breaches that might cause them harm,” Thune said at the hearing. “Such a standard would also provide consistency and certainty regarding timely notification practices, which benefits both consumers and businesses.”
However, Thune’s bill is much more modest, and doesn’t give the FTC the strong powers provided in Rockefeller’s bill gives FTC rulemaking authority to require “covered entities” to establish an information security program if own or possess “personal information” or contracts with a third party to maintain. Thune’s bill only requires companies hit by breaches ”to take reasonable measures” to protect and secure data in electronic form containing “personal information.”
The House bill is the National Cybersecurity and Critical Infrastructure Protection Act of 2013, H.R. 3696. It was passed in January by the Subcommittee on Cybersecurity, Infrastructure Protection and Security Technologies by voice vote.
It is a far weaker bill that would create a threat-information-sharing partnership between the Department of Homeland Security and the owners and operators of the nation’s critical infrastructure systems. It also establishes a framework through which the DHS can work with international partners to harden the security of systems outside the U.S.
However, it does not require rapid notification by companies of securities breaches and provides no power for the agency to write rules that mandate such notification. It also ignores the role of the FTC in protecting consumers from data breaches.
At the Senate hearing, Edith Ramirez, chairwoman of the Federal Trade Commission, used the hearing to reiterate the FTC’s longstanding, bipartisan call for enactment of a strong federal data security and breach notification law. “Never has the need for legislation been greater,” she said. “With reports of data breaches on the rise, and with a significant number of Americans suffering from identity theft Congress must act.”