Senators call for data breach penalties, tougher privacy laws after Marriott hack
Their ideas are reminiscent of Europe's GDPR.
WASHINGTON - A slew of Democratic senators are calling for tougher privacy laws — and even steep fines for companies that fail to protect their customers' data from data breaches — as a result of Marriott’s admission that hackers compromised the personal information of up to 500 million of its customers.
“We must set clear customer data protection standards for all companies — whether they’re hotel chains, online retailers, or big tech — and severe penalties for those who fall short,” Sen. Richard Blumenthal (D., Conn.) tweeted.
Sens. Mark Warner (D., Va.) and Ed Markey (D., Mass.) also pressed for tougher data security laws, and said Congress needs to set limits on how much customer data U.S. companies are allowed to store. Sen. Ron Wyden (D., Ore.) went even further: He said senior executives who ignore customer data privacy should face jail time.
After potentially one of the largest breaches of consumer data in history, lawmakers appear ready to take a page out of Europe’s playbook to ensure it does not happen again: Their calls for aggressive penalties for companies that have poor data security are reminiscent of the General Data Protection Regulation that went into effect in the European Union earlier this year. The GDPR requires companies to adhere to a highly specific set of security requirements — and contains fines up to 4 percent of a company’s annual revenue for violations. It is unclear, however, how such legislation would fare in a split Congress that appears poised for gridlock.
Wyden outlined on Twitter specific legislation that would impose "harsh fines and prison terms" for companies that misuse consumer data. The bill, which a spokesman said he is preparing to introduce early next year, would set up a new office with the Federal Trade Commission called the Bureau of Technology, give it sweeping powers to punish businesses for lax data security practices, and require it to hire 175 staffers to "police the largely unregulated market for private data."
The bill would also introduce a new set of data security requirements, set up a “do not track” list for individual consumers to opt out of data collection online, and outline “steep fines (up to 4 percent of annual revenue), on the first offense for companies and 10-20 year criminal penalties for senior executives,” according to a release from Wyden’s office.
Sen. Elizabeth Warren (D., Mass.) also said there should be consequences for executives, tweeting, “CEOs won’t take protecting our data seriously unless their own jobs are on the line.”
To address the current crisis, Sen. Charles Schumer (D., N.Y.) said Friday that Marriott should pay for new passports for customers whose passport numbers were stolen.
Marriott, for its part, seemed to admit a degree of culpability for the breach of its Starwood reservation system containing addresses, travel locations, credit card numbers, phone numbers, and passport numbers. The breach could possibly leave droves of customers vulnerable to espionage or identity theft.
"We fell short of what our guests deserve and what we expect of ourselves," Marriott president and chief executive Arne Sorenson said in a release. "We are doing everything we can to support our guests, and using lessons learned to be better moving forward."
But this apology was not sufficient for lawmakers, who insisted that businesses such as Marriott can no longer be trusted to police themselves when it comes to data security.
“It seems like every other day we learn about a new mega breach affecting the personal data of millions of Americans,” Warner said in a statement. “Rather than accepting this trend as normal, this latest incident should strengthen Congress' resolve.”
“If history is any guide, Marriott’s mega data breach will be treated like all the others: The company will apologize and offer useless credit monitoring to the victims impacted,” Wyden tweeted. “The status quo isn’t working.” There have been several major breaches in the last several years that put hundreds of millions of customers' personal information at risk: The breaches of Target and Yahoo in 2013; Home Depot in 2014; the health insurer Anthem in 2015; and credit reporting company Equifax last year.
But as of now, U.S. companies rarely face fines for breaches. The last major U.S. corporate cybersecurity overhaul was the 2014 Cybersecurity Enhancement Act, which led to a voluntary set of standards managed by the National Institute for Standards and Technology (NIST). That law doesn't include fines for violations or data breaches.
Ron Gula, a cybersecurity investor who founded Maryland-based cybersecurity company Tenable Network Security, said Warner and Markey’s idea that setting limits on personal information that companies can store would not be realistic for companies such as Marriott, though he noted that penalties might help improve their attitudes toward security.
“When you book a Marriott hotel room it’s kind of nice that they already have all of your information when you book a room. ... They are always going to have to collect sensitive data on their customers,” Gula said. “So, the only other option is to increase their cybersecurity. The only other thing you can do is just increase penalties.”
Others were skeptical that penalties would do anything to address the broader issue. Some experts worried that, as soon as there is a security mandate, companies would focus on meeting the bare minimum that’s required of them to avoid the fine.
Businesses “must demonstrate that they are investing in security, not just to meet the minimum threshold of what the law requires — but that protecting their customers is a pillar of their business,” Ellison Anne Williams, a former NSA technologist who is chief executive of a Maryland-based encryption company called EnVeil, told me in an email.