The Washington PostDemocracy Dies in Darkness

The Cybersecurity 202: Senators call for data breach penalties, tougher privacy laws after Marriott hack

December 3, 2018 at 7:25 a.m. EST

with Bastien Inzaurrade

THE KEY

A slew of Democratic senators are calling for tougher privacy laws — and even steep fines for companies that fail to protect their customers’ data from data breaches — in the wake of Marriott’s admission that hackers compromised the personal information of up to 500 million of its customers. 

“We must set clear customer data protection standards for all companies — whether they’re hotel chains, online retailers, or big tech — and severe penalties for those who fall short,” Sen. Richard Blumenthal (Conn.) tweeted

Sens. Mark Warner (Va.) and Ed Markey (Mass.) also pressed for tougher data security laws, and said Congress needs to set limits on how much customer data U.S. companies are allowed to store. Sen. Ron Wyden (Ore.) went even further — he said senior executives who ignore customer data privacy should face jail time.

After potentially one of the largest breaches of consumer data in history, lawmakers appear ready to take a page out of Europe’s playbook to ensure it does not happen again: Their calls for aggressive penalties for companies that have poor data security are reminiscent of the General Data Protection Regulation that went into effect in the European Union earlier this year. The GDPR requires companies to adhere to a highly specific set of security requirements — and contains fines up to 4 percent of a company's annual revenue for violations. It is unclear, however, how such legislation would fare in a split Congress that appears poised for gridlock. 

Wyden outlined on Twitter specific legislation that would impose “harsh fines and prison terms” for companies that misuse consumer data. The bill, which a spokesman said he is preparing to introduce early next year, would set up a new office with the Federal Trade Commission called the Bureau of Technology, give it sweeping powers to punish businesses for lax data security practices, and require it to hire 175 staffers to “police the largely unregulated market for private data.”

The bill would also introduce a new set of data security requirements, set up a “do not track” list for individual consumers to opt out of data collection online, and outlines “steep fines (up to 4 percent of annual revenue), on the first offense for companies and 10-20 year criminal penalties for senior executives,” according to a release from Wyden's office.  

Sen. Elizabeth Warren also said there should be consequences for executives, tweeting, “CEOs won't take protecting our data seriously unless their own jobs are on the line.” 

To address the current crisis, Sen. Chuck Schumer (D-N.Y.) said Friday that Marriott that should pay for new passports for customers whose passport numbers were stolen.

Marriott, for its part, seemed to admit a degree of culpability for the breach of its Starwood reservation system containing addresses, travel locations, credit card numbers, phone numbers, passport numbers. The breach could possibly leave droves of customers vulnerable to espionage or identity theft.

“We fell short of what our guests deserve and what we expect of ourselves,” Marriott president and chief executive Arne Sorenson said in a release. “We are doing everything we can to support our guests, and using lessons learned to be better moving forward.”

But this apology was not sufficient for lawmakers, who insisted that businesses like Marriott can no longer be trusted to police themselves when it comes to data security.

“It seems like every other day we learn about a new mega-breach affecting the personal data of millions of Americans,” Warner said in a statement. “Rather than accepting this trend as normal, this latest incident should strengthen Congress’ resolve.”

“If history is any guide, Marriott’s mega data breach will be treated like all the others: the company will apologize and offer useless credit monitoring to the victims impacted,” Wyden tweeted. “The status quo isn’t working.” There have been several major breaches in the last several years that put hundreds of millions of customers’ personal information at risk: The breaches of Target and Yahoo in 2013; Home Depot in 2014; the health insurer Anthem in 2015; and credit reporting company Equifax last year.

But as of now, U.S. companies rarely face fines for breaches. The last major U.S. corporate cybersecurity overhaul was the 2014 Cybersecurity Enhancement Act, which led to a voluntary set of standards managed by the National Institute for Standards and Technology (NIST). That law doesn't include fines for violations or data breaches.

Ron Gula, a cybersecurity investor who founded Maryland-based cybersecurity company Tenable Network Security, said Warner and Markey's idea that setting limits on personal information that companies can store would not be realistic for companies like Marriott, though he noted penalties might help improve their attitudes toward security. 

“When you book a Marriott hotel room it’s kind of nice that they already have all of your information when you book a room … they are always going to have to collect sensitive data on their customers,” Gula said. “So the only other option is to increase their cybersecurity. The only other thing you can do is just increase penalties.”

Others were skeptical that penalties would do anything to address the broader issue. As soon as there's a security mandate, some experts worried companies would focus on meeting the bare minimum that's required of them to avoid the fine. 

Businesses “must demonstrate that they are investing in security, not just to meet the minimum threshold of what the law requires — but that protecting their customers is a pillar of their business,” Ellison Anne Williams, a former NSA technologist who is chief executive of a Maryland-based encryption company called Enveil, told me in an email.

Sign Up! Our newest 202 newsletter is launching tomorrow: The Technology 202 by Cat Zakrzewski. Cat worked at the Wall Street Journal covering venture capital in Silicon Valley before joining The Post to launch this new venture. She’ll be covering the dynamic and evolving relationship between Washington and technology companies, delving into everything from proposed privacy regulations to artificial intelligence and quantum computing. Get your copy here.

PINGED, PATCHED, PWNED

PINGED: Facebook has said it never sold users' data, but internal communications seem to paint a more complicated picture. “Facebook executives in recent years appeared to discuss giving access to their valuable user data to some companies that bought advertising when it was struggling to launch its mobile-ad business, according to internal emails quoted in newly unredacted court filings,” The Washington Post's Elizabeth Dwoskin and Craig Timberg reported. “In an ongoing federal court case against Facebook, the plaintiffs claim that the social media giant doled out people’s data secretly and selectively in exchange for advertising purchases or other concessions, even as others were cut off, ruining their businesses. The case was brought by one such company, Six4Three, which claims its business was destroyed in 2015 by Facebook’s actions.”

Many companies that relied on Facebook's data via an application programming interface, or API, folded after the tech giant in 2014 “announced it was restricting developers' access to the API, citing privacy concerns from users who complained that their data was being shared with outsiders without their knowledge,” according to my colleagues. But Six4Three is challenging's Facebook's explanation. “Six4Three alleges that privacy was not the reason Facebook shut down the API,” Elizabeth and Craig wrote. “The developer claims Facebook realized that it could use its data feed as leverage, to pressure businesses to buy advertising that would fuel the company’s then-nascent mobile-ad business.”

PATCHED: Sens. Amy Klobuchar (D-Minn.) and Dan Sullivan (R-Alaska) introduced a bill that would create a program at the State Department to share information on election security with U.S. allies, according to a press release from Klobuchar's office. The bill, titled “Global Electoral Exchange Act,” would authorize the department to award grants to American nonprofits that focus on election security in order to share information with similar groups in allied countries. “Our intelligence community continues to warn that our elections—and those of our allies—are a target for adversaries,” Klobuchar said in a statement. “This bipartisan legislation will allow the State Department to work with our allies abroad to share information, discuss best practices, and combat the growing threat of election interference to democracies around the world.”

Moreover, under the program, foreigners involved in administering elections would travel to the United States to study U.S. electoral procedures while American officials would have an opportunity to learn about other countries' election security efforts. A similar bipartisan bill sponsored by Reps. Joaquin Castro (D-Tex.) and Mark Meadows (R-N.C.) passed the House in a voice vote in September. “The threats to our democratic electoral process and those of other democracies across the globe should not be taken lightly,” Sullivan said in a statement.

PWNED: A Saudi critic of the authorities in Riyadh alleges in a lawsuit that the Israeli company NSO Group, which sells the Pegasus spyware, helped Saudi Arabia monitor his communications with Jamal Khashoggi, a  journalist who was killed in the Saudi Consulate in Istanbul in October, the New York Times's David D. Kirkpatrick reported“The spyware allows its customers to secretly listen to calls, record keystrokes, read messages, and track internet history on a targeted phone,” according to the Times. “It also enables customers to use a phone’s microphone and camera as surveillance devices. Because of those sweepingly invasive capabilities, Israel classifies the spyware as a weapon. The company must obtain approval from the Defense Ministry for its sale to foreign governments.”

The Saudi opposition activist, Omar Abdulaziz, has asylum in Canada and lives in Montreal. Abdulaziz and Khashoggi, who was a contributing columnist for The Post, collaborated on dissidence projects, the Times reported. “The lawsuit was filed by an Israeli lawyer, Alaa Mahajna, in cooperation with Mazen Masri, a lecturer at the City University of London,” Kirkpatrick wrote. “The lawyers say in the court papers that they intend to argue that the resulting exposure of the collaboration between Mr. Abdulaziz and Mr. Khashoggi ‘contributed in a significant manner to the decision to murder Mr. Khashoggi.’”

PUBLIC KEY
President Trump and Chinese President Xi Jinping met in Buenos Aires on Dec. 1, 2018. Trump called the two leaders' relationship "very special." (Video: The Washington Post)

— The United States and China will start negotiations to enact “structural changes” to their trade relations, according to a White House statement. The talks will include topics such as “forced technology transfer, intellectual property protection,” as well as “cyber intrusions and cyber theft,” the statement said. “Many analysts are skeptical that China will make fundamental changes to its state-led economic system in the 90-day talks,” The Post's David J. Lynch wrote.

— “U.S. Defense Secretary Jim Mattis accused Russian President Vladimir Putin on Saturday of being a ‘slow learner’ who again tried to meddle in U.S. elections in November, adding that he had no trust in the Russian leader,” Reuters's Phil Stewart reported. According to Reuters, Mattis said that “(Putin) tried again to muck around in our elections this last month. And we are seeing a continued effort along those lines.”

— “The Office of Management and Budget, in partnership with the Department of Education and the CIO Council, is launching an educational program to train current federal employees without an IT background in cyber defense skills,” FCW's Chase Gunter reported. “The Federal Cybersecurity Reskilling Academy is ‘the first of many of the reskilling efforts that the administration is exploring,’ said Federal CIO Suzette Kent on a briefing with reporters.”

— “A proposal to codify and elevate the authority of the White House’s top IT officer passed in the House on Friday,” FedScoop's Carten Cordell reported. “The Federal CIO Authorization Act of 2018 — sponsored by Reps. Will Hurd, R-Texas, and Robin Kelly, D-Ill. – aims to make the Federal CIO a presidentially appointed position that reports directly the Office of Management and Budget director, instead of the deputy director, as it currently does.”

— More cybersecurity news from the public sector:

Senate Intelligence Committee has referred cases of suspected lying to Mueller (Ellen Nakashima and Shane Harris)

‘I had no contact with Assange,’ Roger Stone says (Felicia Sonmez)

Cohen’s guilty plea suggests Russia has ‘leverage’ over Trump, top Democrat says (Felicia Sonmez and Paige Winfield Cunningham)

PRIVATE KEY

iTunes Doesn't Encrypt Downloads—on Purpose (Wired)

Mining software isn't just for cryptocurrency — it could also be used to steal corporate secrets (CNBC)

Three Executives Depart in Major Leadership Shuffle at Symantec (Bloomberg News)

SECURITY FAILS

Someone hacked printers worldwide, urging people to subscribe to PewDiePie (The Verge)

THE NEW WILD WEST

— “Alex Younger, chief of the U.K.’s foreign spy agency MI6, named Russia as a major proponent of state-sponsored cyber and terrorist attacks and warned the Kremlin there is a cost attached to every attack,” Bloomberg News's Kitty Donaldson reported. “He told Russia not to underestimate Britain’s ‘determination’’ and ‘capabilities,’’ after President Vladimir Putin sought to melt at least a layer of diplomatic frost at the Group of 20 meeting in Argentina by praising Britain as an ‘important partner.’’’

More cybersecurity news from abroad:

Special Report: How Iran spreads disinformation around the world (Reuters)

China tells tech companies to keep detailed records of users' activity (CNN)

ZERO DAYBOOK

Coming soon

EASTER EGGS

Tributes pour in for George H.W. Bush:

Journalists, friends and former administration officials shared their memories about President George H.W. Bush on Dec. 2, after his death Nov. 30. (Video: Jenny Starrs/The Washington Post)