Massive Equifax Cyberattack May Push Congress on Breach Notice Law

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Daniel R. Stoller

The massive cyberattack against Equifax Inc. that compromised highly sensitive data on over 40 percent of the U.S. population may push Congress to pass a national data breach notification law, but a quick fix is unlikely, cybersecurity professionals and attorneys told Bloomberg BNA.

House committees, including the Judiciary Committee, Financial Services Committee, and Energy and Commerce Committee, announced Sept. 8 they will hold hearings in the near future on the breach and whether to adopt a federal notice law.

Companies facing a data breach must deal with separate breach notification laws in 48 states and the District of Columbia. Bills to create a single federal data breach notice standard to preempt the state law patchwork have been introduced without success in Congress since 2003, with interest peaking after major breach events. Whether the Equifax breach will spark a different result remains to be seen.

U.S. credit bureau Equifax announced Sept. 8 that it discovered a large-scale data breach July 29 that affected 143 million consumers. Equifax raked in $3.15 billion in fiscal year 2016 revenue, Bloomberg data show.

After the Target Corp. 2013 breach, the Sony Pictures Entertainment Inc. 2014 breach, and the Home Depot Inc. 2014 breach, lawmakers and industry stakeholders pushed for a national data breach notification standard, saying it was needed to relieve corporate compliance burdens and provide clarity to consumers after an attack. Congress held hearings on the breaches and new legislation was introduced each time.

The Equifax data breach is eliciting a similar response from Congress.

Co-chairman of the Congressional Cybersecurity Caucus Rep. Jim Langevin (D-R.I.) told Bloomberg BNA that he plans to offer a bill that would require “a national data breach notification standard.” Congress will “investigate these issues further,” he said.

Lawmakers reignited the debate on a federal data breach notification standard. House Majority Leader Kevin McCarthy (R-Calif.), Reps. Maxine Waters (D-Calif.) and Ted Lieu (D-Calif.), and Sens. Mark Warner (D-Va.) and Ron Wyden (D-Ore.), all made public statements in support of a national data breach notice standard and further cybersecurity legislation.

Wyden told Bloomberg BNA Sept. 8 that a national breach notice law would help make companies accountable for breaches.

House Judiciary Committee Chairman Bob Goodlatte (R-Va) told Bloomberg BNA that his committee would address the delay in notification after Equifax discovered the breach.

Tipping Point?

The U.S. will eventually “reach a tipping point,” where the size of a data breach, consumers’ responses to the incident, the political will of lawmakers, and corporate interests will intersect to effectuate a national standard, Evan Wolff, privacy and cybersecurity partner at Crowell & Moring LLP in Washington, told Bloomberg BNA. But a quick legislative result based on the Equifax breach is unlikely, he said.

But others say there is a heightened cybersecurity threat awareness that may make passing legislation more likely now.

The Equifax breach may be “the warning short heard around the world,” Peter Tran, general manager and senior director in the Worldwide Advanced Cyber Defense Practice at RSA Security in Boston, told Bloomberg BNA.

Paige Schaffer, president and chief operating officer of Generali Global Assistance’s identity and digital protection services global unit, told Bloomberg BNA that a breach of Equifax’s scale poses “a real threat to our economic security.”

Ultimately, the complexity of cybersecurity and breach notice issues may make it difficult for lawmakers to pass legislation.

The variety of different kinds of sensitive data, including financial, health, trade secret, and children’s information, may “prove to be far too cumbersome” to adopt a national standard, Steven S. Rubin, partner at Moritt Hock & Hamroff LLP in Garden City, N.Y. and co-chairman of the firm’s cybersecurity practice group, told Bloomberg BNA.

Representatives for Equifax didn’t immediately respond to Bloomberg BNA’s email request for comments.

To contact the reporter on this story: Daniel R. Stoller in Washington at

To contact the editor responsible for this story: Donald Aplin at

Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.

Request Bloomberg Law: Privacy & Data Security