Consumer Electronics Daily was a Warren News publication.
Nelson Floats NSA Cooperation

Senate Commerce Members Float Data Breach Legislation Amid Equifax, Yahoo Criticisms

Senate Commerce Committee members interspersed bipartisan condemnations Wednesday of Equifax and Yahoo over the companies' major data breaches with a pointed discussion on contours of possible legislation aimed at curbing future incidents. Current and former executives from Equifax and Yahoo got a scolding over inability to prevent the tech break-ins and their responses. Equifax has faced scrutiny in both houses since revealing in September that criminals exploited a website application vulnerability from mid-May through July to access personal information, potentially exposing data of more than 143 million Americans (see 1709080019, 1709260021, 1709270004, 1710030034 and 1710040039). Yahoo, now part of Verizon's Oath, believes all of the 3 billion current and former users of its email service were exposed in a pair of 2013 and 2014 data breaches first disclosed in 2016 (see 1609220046).

Former Yahoo CEO Marissa Mayer “sincerely” apologized to victims of the company's two breaches but noted it worked to “promptly” report the incidents to federal law enforcement. She said Yahoo has “not been able to determine who perpetrated the 2013 breach.” The FBI linked the subsequent 2014 breach to Russian intelligence agents and Russia-hired hackers (see 1703150068). Verizon Chief Privacy Officer Karen Zacharia confirmed Yahoo “took steps to protect all users.”

Interim Equifax CEO Paulino do Rego Barros apologized to all consumers whose data was exposed in the credit monitoring service's breach and said his highest priority is to strengthen cybersecurity and improve services for affected consumers. Improvements to Equifax's online presence and changes in the company's communications with consumers caused a “substantial reduction in delays and backlogs,” Barros said. Former CEO Richard Smith continued to take the blame for the hack.

Senate Commerce Chairman John Thune, R-S.D., confirmed earlier reports he issued a subpoena for Mayer to testify, downplaying to reporters the significance. Mayer “got here” and “we're glad she decided to make an appearance,” he said: “She was at the helm when all of this happened at Yahoo and her testimony and responses are important” to informing the debate on future legislation. Mayer's unwillingness to testify absent a subpoena shows “why Congress needs to legislate in this area,” Senate Communications Subcommittee ranking member Brian Schatz, D-Hawaii, later told reporters.

Thune expressed frustration with Equifax and Yahoo, pressing Mayer on how it took Yahoo more than three years to fully understand the scope. Yahoo still hasn't “been able to identify the intrusion” that led to the 2013 breach and still has other gaps in its information about the incident, Mayer said. Thune said it's “hard to fathom” how Equifax's breach was caused by “one employee” failing to correctly patch an IT vulnerability.

Senate Commerce ranking member Bill Nelson, D-Fla., said it's “going to take more” than the private sector's existing cybersecurity commitments, particularly given statements by Mayer and others that companies' cyber protections are no match against state-sponsored actors. “There's going to have to be cooperation” between the private sector and the NSA to better protect against state-sponsored cyberattacks given the view that the agency is “most sophisticated” U.S. cybersecurity entity, he said. Nelson urged Equifax to participate in an “attitude change” on cybersecurity, noting the company holds a “financial guillotine” over heads of U.S. consumers.

Nelson and Senate Communications Chairman Roger Wicker, R-Miss., were among those floating legislative solutions to curb data breaches. “Only stiffer enforcement and stringent penalties will help incentivize companies to properly safeguard consumer information and promptly notify them when their data has been compromised,” Nelson said. Wicker noted his interest in a recommendation from Entrust Datacard CEO Todd Wilkinson that the U.S. follow Brazil's lead in issuing “digital identity” certifications to all citizens as a substitute for widespread use of Social Security numbers and passwords as digital identifiers.

Sen. Maria Cantwell, D-Wash., said it's time to get “very serious" about passing legislation to prevent data breaches, suggesting the federal government might need to nudge companies to “be very religious” about cyber hygiene. Sen. Ed Markey, D-Mass., faulted Republicans for the Congressional Review Act resolution of disapproval effort that in March abolished FCC ISP privacy rules (see 1706070050). The CRA killed off the most effective tool in holding actors like Verizon accountable for data breaches, he said. “Now we have nothing.”