Langevin Hopeful National Data Breach Notification Legislation Moves Forward
Rep. Jim Langevin, D-R.I., expects Congress to view favorably national data breach notification legislation that he introduced after Equifax announced personal information of 145.5 million Americans was compromised. “It’s ripe to be taken up and I’m going to keep pushing it,” he told us Wednesday after an IoT event. Earlier, Rep. Suzan DelBene, D-Wash., who also spoke at the event, told us more information is needed about the Equifax breach before approving any legislation, as well as about an IRS contract recently awarded to the credit monitoring agency.
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
Langevin, who co-chairs the Congressional Cybersecurity Caucus, said HR-3806 would streamline the patchwork of 48 state data breach notification laws into one national one. The bill would require companies to notify customers 30 days after a breach and would authorize the FTC to coordinate the response. Langevin, who noted his personal data was compromised in the breach, told us a distinguishing factor in the bill is that if the company delays notifying customers, the FTC, not the company, would make that decision. Langevin said the response from former Equifax CEO Richard Smith, who testified last week in four House and Senate hearings about the breach (see 1710050045, 1710040039 and 1710030034), was “insufficient” and the company’s response “sluggish.”
Dan Caprio, who worked at the FTC and Commerce and is now chairman of cybersecurity consulting company Providence Group, told us he thinks the breach, coming after so many high-profile incidents, “might finally be the tipping point” for federal data breach notification legislation. Beyond that, he said companies should use the National Institute of Standards and Technology’s Cybersecurity Framework, a voluntary set of guidelines to help organizations assess their security and privacy risks, as a “strategic imperative.” Many high-profile breaches occur because security and privacy aren’t viewed across the enterprise with CEOs and board essentially out of the loop, he added.
DelBene, who's an IoT Caucus co-chair, said Congress needs to get to the bottom of what happened. “It’s extremely concerning,” she said. “We’ve heard about folks not even doing basic cyber hygiene on their systems. People were not made aware. Information was not shared with others so that folks could act as quickly as possible.” She wants more details about what happened to ensure it doesn’t happen again. Asked if she would sign on to any data breach notification or other related bills, DelBene said conversations are ongoing, and she wants to get to the bottom of how this happened and what Congress can do.
DelBene also was among House and Senate members seeking more information about the IRS recently awarding a no-bid contract to Equifax to verify identities of taxpayers (see 1710040042). In a letter to her, IRS Commissioner John Koskinen said Equifax was the incumbent on the previous contract, which expired Sept. 30, so the agency awarded an “interim, short-term” contract Sept. 29 since the company was “the only vendor that can provide” the services. The alternative would have been to shut down online access to taxpayer accounts, which would have affected people filing extensions and those hit by the hurricanes, he said in the letter provided by the congresswoman's office.
After hearing of Equifax’s breach, Koskinen said in the letter that the IRS did a comprehensive internal review and performed an on-site inspection of the credit monitoring service’s facility, showing no taxpayer data was compromised. DelBene noted GAO said the IRS could have taken other options: "We're continuing to dig into that to understand why an agreement was signed with a company that just had a massive breach .. seems very concerning that the IRS would move forward."
A bipartisan group of House Commerce Committee lawmakers wrote Koskinen Tuesday. "The timing and nature of this IRS contract raises red flags given the recent breach at Equifax," the letter said.