The security breaches at major retailers and banks keep coming, but powerful interests are tempering expectations that the Senate can pass a cybersecurity bill this year. And as the cyber attacks continue, Morning Consult polling shows that consumer confidence is starting to weaken.
Last month’s revelation that J.P. Morgan Chase & Co. fell victim to a cyber attack over the summer is another example of why proponents of cybersecurity are calling for movement on pending legislation aimed at preventing sophisticated hacks. With a handful of cyber-related measures already passed by the House, the onus is now on the Senate to consider one of its many bills that would create a framework for information sharing between companies and the U.S. government.
But the prospects for congressional action before the end of the year are fading, in part because of a late start to committee consideration of a controversial bill and a legislative calendar shrinking by the day. The most recent Senate bill, approved by the Intelligence Committee in July, has been problematic, and not just because of the upcoming midterm elections in November.
“Cybersecurity legislation got a bit of a late start in this Congress. And when you get into the second session, it gets pretty difficult to move a bill,” said Paul Martino, vice president and senior policy counsel with the National Retail Federation. “There is consensus among members of Congress that something should move, but I think there’s a lack of consensus on exactly what it should look like. Because they want to do it the right way and because it’s complicated, it takes time. I think that makes it really difficult to get something done this year.”
The Senate Intelligence Committee approved its 44-page bill in July on a 12-3 vote that broke down along a familiar divide – not on party lines, but with privacy advocates such as Sen. Ron Wyden (D-Ore.) opposing the legislation.
The Intelligence panel’s bill has the public support of industry groups such as the American Bankers Association, the Financial Services Roundtable, the Securities Industry and Financial Markets Association and the U.S. Chamber of Commerce. And many say they’re still pushing hard for Senate action this year.
“There’s still very much an effort to get this done before Congress leaves at the end of the year,” said James Ballentine, executive vice president of congressional relations and political affairs at the American Bankers Association. “We by no means are giving up on the chance of getting that done. We would not like to have to start this process again next year.”
He said his group’s discussions have involved senators and each party’s leadership in the chamber.
Paul N. Smocer, president of BITS, the technology policy arm of the Financial Services Roundtable, said he continues to hold “meetings with members and staff both to express our support for the bill and to help educate about the nature of the cyber-attack and cyber threat information being exchanged.”
At the same time, he said, “we recognize that the lame-duck session, given its length, presents challenges to the possibility of bringing the bill to a full floor vote and subsequently working with the House to finalize reconcilement in that time.”
Sen. Saxby Chambliss of Georgia, the ranking Republican on the Intelligence Committee and co-author of the bill, said top lawmakers in both chambers have held conversations and are ready to conference the House and Senate bill quickly. Chambliss said he is “cautiously optimistic” that the Senate will vote on the bill after the midterms earlier this month at a Bloomberg Government conference in Washington. Meanwhile, a Senate aide says the bill’s sponsor, Intelligence Committee Chairman Sen. Dianne Feinstein (D-Calif.), continues to work on the measure to determine how and when it comes up in the lame-duck session.
As the Senate continues backroom discussions of the bill, financial firms remain vulnerable, and not just to data breaches: The public’s confidence in banks as protectors of personal accounts is also at risk. That confidence is already showing signs of weakness, according to polling by Morning Consult.
From a reputation standpoint, security breaches appear to be chipping away at the public’s positive view of banks, which enjoyed broad support among voters on the data-security front before the JP Morgan hack, at least compared with retailers like Target Corp.
A Morning Consult poll published last month found 83 percent of respondents say their bank is doing an excellent or good job protecting their accounts, compared with 49 percent of respondents who said the same thing about retailers. Seventy-three percent of those polled said they’re more likely to engage in electronic transactions with a company that has no history of online security breaches.
Firms are acutely aware of those consumer habits. Even before the summer cyber attack, JPMorgan said it planned to increase spending on cyber security to about $250 million in 2014. But that wasn’t enough to guard against the effect a data breach has on the public’s perception of banks.
A more recent Morning Consult poll, published this month, found that one-third of registered voters say their confidence in their bank and other financial institutions has decreased following news of the JPMorgan hack. Almost half said their confidence is unchanged, with almost no differences between Democrats, Republicans and independents, and 55 percent said the cyber assaults have not changed their purchasing habits or persuaded them to switch to cash transactions. The most noticeable divergence was among groups based on income: As income increased, confidence decreased.
The Obama administration has signaled support for legislative proposals that put the Department of Homeland Security at the center of any information-sharing efforts. Wyden and Sen. Mark Udall (D-Colo.) are the most outspoken critics of the Senate bill, saying it lacks “adequate” protections for individuals’ privacy rights. They also promised to work with their colleagues to iron out disagreements.
But for some industry experts, the wait keeps getting longer and longer.
“The financial services industry has been clamoring for years that it doesn’t get sufficient real-time information from law enforcement about cyber threats,” said Edward J. DeMarco, general counsel and director of regulatory relations and operational risk at the Philadelphia-based Risk Management Association, which represents banks and other financial institutions but doesn’t lobby.
“It’s not a panacea for cyber risk, but it’s better than doing nothing,” DeMarco said about pending legislation. “People are recognizing that you’ve got to do something.”
Even if there’s no floor vote in the Senate, the committee markups and the House votes will be of some value, according to NRF’s Martino, a former Senate Commerce Committee counsel on the Republican side.
“A lot has happened this year, and that portends well for movement of cyber security in the next Congress,” he said.