Portman, Carper Want in on Senate Privacy Legislation Effort
Sens. Rob Portman, R-Ohio, and Tom Carper, D-Del., are developing legislative proposals on data security and privacy and want to collaborate with the Senate Commerce Committee, Portman and Carper said Thursday. Thursday’s Senate Investigations Subcommittee hearing should help refine data security legislation, Portman told reporters. Earlier, he questioned Equifax, Marriott and the FTC’s Consumer Protection Bureau chief.
Sign up for a free preview to unlock the rest of this article
Export Compliance Daily combines U.S. export control news, foreign border import regulation and policy developments into a single daily information service that reliably informs its trade professional readers about important current issues affecting their operations.
“There’s pretty good evidence” Chinese state actors were responsible for the 2017 Equifax (see 1809070053) and 2018 Marriott (see 1901140033) data breaches, Carper told reporters. The Senate Homeland Security Committee released a 65-page report Wednesday, which Carper said showed Equifax neglected basic business practices. A 2015 internal audit alerted the company to 8,500 vulnerabilities with overdue patches, said the report. Company policy required critical patches within 48 hours, but the Apache Struts vulnerability wasn’t patched until August 2017, the report said.
Neither company identified the origin of the hackers, said Equifax CEO Mark Begor and Marriott CEO Arne Sorenson. Sen. Jacky Rosen, D-Nev., cited comments from Secretary of State Mike Pompeo linking the Marriott breach to Chinese hackers. The short answer is “we don’t know” who’s responsible, Sorenson said, saying it’s inadequate to draw inferences from company information. He deferred to the FBI, which Marriott “shared everything with,” so enforcers can make that determination. Marriott is focused on “making sure the door is closed,” Sorenson said. That work includes encrypting all guest data, like passport information, decentralizing data storage and deleting data when it’s no longer needed.
Begor repeatedly cited Equifax’s increased technology and security spending by an incremental $1.25 billion between 2018 and 2020. The company updated all patching processes, implemented automated tools to avoid human error, and continuously scans the “environment,” said Chief Security Officer Jamil Farshchi. “We can do a lot better,” Begor said.
FTC Consumer Protection Bureau Director Andrew Smith downplayed the potential impact from a state patchwork of privacy laws in the absence of congressional action. Every state has enacted its own law, and “the sky hasn’t fallen. I feel as if companies have probably figured out how to comply,” Smith said. There is, however, a benefit to a federal standard with the ease of compliance, but companies are complying with a multiplicity of standards now, he said. He repeated that the commission urged Congress to enact comprehensive data security legislation that includes rulemaking authority, civil penalty authority and enhanced jurisdiction.
Recent developments on internet privacy and data security suggest “this is an appropriate time for Congress to consider comprehensive” privacy legislation, said GAO Director-Financial Markets and Community Investment Alicia Puente Cackley. Her agency said as much in a recent report released by the House Commerce Committee (see 1902130058). Lack of specific federal standards leaves consumers at risk, she said.