Several senators said today that high-profile private-sector data breaches like those disclosed by Equifax in 2017 and Marriott in 2018 serve to boost the urgency with which Congress should act to approve legislation that would implement the country’s first national private-sector cybersecurity regulations and procedures.
Equifax CEO Mark Begor and Marriot CEO Arne Sorenson testified about those breaches before the Senate Homeland Security and Government Affairs Committee’s Subcommittee on Investigations today.
Last night, the subcommittee released a report that investigated Equifax’s September 2017 data breach that exposed the personal information of 143 million Americans. Equifax waited six weeks before notifying the public about the breach, and the report states that the company knowingly failed to mitigate the breach, which its security staff first detected in March 2017.
Amid the subcommittee’s findings, the report recommends that Congress pass legislation to establish a national standard that requires private organizations that collect and store personally identifiable information (PII) to disclose data breaches and to take appropriate steps to prevent cyber attacks and breaches.
Several government-promoted cybersecurity recommendations already exist, such as the National Institute of Standards and Technology (NIST)’s cyber framework, but in many cases adoption of government-mandated security protocols is not mandatory for private companies, the subcommittee noted.
The report also urges that Congress pass legislation that requires private companies that suffer data breaches to notify affected consumers, law enforcement, and federal regulatory agencies without delay.
There are currently state-level data breach-notification laws, but the report said without national standards, the state statues offer only inconsistent approaches and timelines to notification standards. Not only did Equifax notify the public of its breach six weeks after it happened, but Marriot waited 12 weeks to do so after its September 2018 breach, the subcommittee reported.
“Companies and government agencies alike must take steps to better protect the data consumers trusted in them,” Sen. Rob Portman, R-Ohio, said at today’s subcommittee hearing. “When that data’s compromised, we need to know as soon as possible so that we can do everything we can to ensure criminals are no longer taking advantage of us as consumers.”
Sen. Tom Carper, D-Del., highlighted a 2017 Pew Research Center study that states half of Americans believed their personal information is less secure than it was five years before and that more than 40 percent of Americans found fraudulent charges on their credit cards—including members of his own family. Carper used this data to stress the urgency of passing data consumer protection legislation.
“I think it’s long past time for us to come to an agreement on a federal data security law that lays out for private industry what we expect from them, both in data protection and in data breach notification,” Carper said.
The report stated that Congress should push for additional federal efforts to share information and suggested sharing best practices with private companies about cybersecurity threats to advance protection goals. Carper emphasized those points in his opening statement, using Equifax as an example.
“If a company as large and sophisticated as Equifax can fail so badly at implementing basic cybersecurity practices, we can certainly do a better job at making clear what will and what won’t work when it comes to blocking hackers and preventing data breaches,” Carper said.
Begor welcomed cooperation between the government and private sector.
“Fighting these attackers will require cooperation between government, law enforcement, and the private sector,” he said of the increasing threat of cyberattacks. “We appreciate that members of this subcommittee have introduced legislation that promotes this type of partnership, and we support these efforts.”