The Facebook privacy scandal could turn out differently. But that would make it the exception in a long string of U.S. data-privacy furors, which have come and gone with no serious repercussions for companies | Mladen Antonov/AFP/Getty Images Facebook’s silver lining: Data furors fade

First comes the news of yet another improper leak of personal data. Then the outrage and investigations in Washington, the calls for a chastened CEO to testify in front of Congress, the cries for tough news laws and regulations to protect people’s privacy.

Then, typically, nothing much happens.


The Facebook privacy scandal could turn out differently. But that would make it the exception in a long string of U.S. data-privacy furors, which have come and gone with no serious laws, rules or other major repercussions for companies like Equifax, Yahoo, Uber or Home Depot — even those whose leaks were arguably worse than Facebook’s.

Lax security at Equifax, for example, allowed hackers to steal highly personal and financial data on as many as 148 million Americans — exposing them to the risk of identity theft and ruined credit. But nearly seven months after that news broke, Congress has largely dropped the issue, while state and federal regulators are investigating.

Much the same is true for Yahoo, which admitted last fall to two mammoth breaches that exposed the data on all 3 billion of its users, feeding the black market for identity thieves and allegedly giving Russian intelligence officers access to high-value email accounts. While Yahoo took a financial hit — Verizon shaved $350 million from its offer to buy the company — lawmakers weren’t able to move any serious responses.

“My hope is that [this time] is different, but my fear is that a lot of Americans throw up their hands and say, ‘What can I do?’” said Justin Hendrix, who heads the NYC Media Lab and is helping lead a tech and media initiative called Regulate Social Media.

“You’ve got all this momentum, but even if the ball’s really rolling, it’s not clear what direction it’s going to roll,” added Jake Laperruque, a digital privacy specialist with the Project on Government Oversight.

Morning Tech Technology news from Washington and Silicon Valley — weekday mornings, in your inbox. Email Sign Up By signing up you agree to receive email newsletters or alerts from POLITICO. You can unsubscribe at any time. This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Still, advocates retain a degree of optimism that Cambridge Analytica’s repurposing of data on 50 million Facebook users during the 2016 election might eventually lead to regulatory changes — even if it doesn’t occur in the coming months. They say this latest digital misconduct gets to the visceral issue of Americans’ ability to conduct fair elections, making it different than the more common data breaches that have become a regular occurrence.

“It seems like more than ever before if we don’t act, [lawmakers] are actually abdicating their responsibility to people across the country,” said Amie Stepanovich, U.S. policy manager for the digital rights group Access Now.

Doing nothing, Hendrix added, is “not an option if you prefer democracy.”

Still, the track record of other headline-grabbing data scandals offers reason for skepticism that Washington is about to break up Facebook, hit it with multitrillion-dollar fines, regulate it like a utility or impose the other draconian penalties people have floated.

Here’s a look at how those other data furors have played out:

YAHOO

When: Occurred in 2013 and 2014, discovered in 2017

How many people affected: 3 billion

Why it mattered: The twin breaches set records for the number of people compromised in a single digital intrusion. The first one, which alone hit 3 billion, will probably never be matched unless someone breaches every single user of a company like Google. (The second Yahoo breach exposed 500 million Yahoo users.)

Prosecutors, who secured indictments of four men for the smaller hack, said Russian intelligence agents conspired with notorious criminal hackers to steal the data, then used it to build dossiers on journalists, dissidents and U.S. officials. Meanwhile, the criminals leveraged it to steal identities and launch email spam schemes.

Consequences: Congress largely let the Yahoo incident slide with little more than a public chastising of former CEO Marissa Mayer, whom the Senate Commerce Committee subpoenaed to testify last November. Committee Chairman John Thune (R-S.D.) said Mayer’s testimony would be “important in shaping our future reactions,” but his committee has yet to move any related legislation.

EQUIFAX

When: Occurred and discovered in 2017

How many people affected: 148 million, potentially half the adult U.S. population

Why it mattered: This may have been the most damaging breach of all time, especially because the information that was compromised — such as Social Security numbers — is considered the crown jewels for identity thieves. (Democratic Sen. Elizabeth Warren of Massachusetts has alleged that it also included passport numbers, which the company denies.)

The company compounded matters with a slow, confusing response that included an apparent attempt to limit customers’ rights to sue, as well as suspicious stock sales that led to recent insider-trading charges against a former executive who dumped nearly $1 million in Equifax shares before the breach was announced.

Consequences: Congress proposed myriad changes to the legal requirements for companies to respond to data leaks and protect Americans’ sensitive information, and Democratic bills sought to tighten oversight of credit reporting companies more specifically.

But momentum stalled within months.

A working group featuring senior lawmakers from both parties was effectively put on hold, falling victim to years-old battles between industries such as banking, retailing and telecommunications over whom any legislation would cover and what the specific security and privacy requirements should be.

Meanwhile, the Senate passed a sweeping banking bill this month that would reward Equifax and other credit monitoring companies by protecting them from some consumer lawsuits and letting them expand into the mortgage business.

However, regulators have descended on Equifax in the wake of the incident. Both the Federal Trade Commission and a number of states are examining whether there was any malfeasance in the way the company handled the breach.

UBER

When: Occurred and discovered in 2016, covered up until 2017

How many people affected: 57 million

Why it mattered: This breach added a new element to the discussion — the cover-up. The ride-hailing giant revealed last November that it had conspired for more than a year to keep the leak secret by paying the hackers $100,000 to destroy the data. That way, the company hoped to keep the data off the black markets, where a researcher might discover it and alert the public.

Uber’s actions may have violated state laws requiring companies to alert victims, authorities and regulators about the breach.

Consequences: Numerous states are investigating the matter, and the FTC — which had previously penalized Uber over privacy issues — has said it is “closely evaluating the serious issues” raised by the incident.

On Capitol Hill, Uber got roped into the Equifax fallout. Lawmakers also pushed proposals to address the specifics of the Uber breach, including a bill co-sponsored by three Democratic senators that would let prosecutors seek jail time for individuals who knowingly cover up a data breach. But that bill has shown no signs of moving.

TARGET

When: Occurred and discovered in 2013

How many people affected: 40 million

Why it mattered: This was the breach that started it all. While Target was far from the first company to experience a digital intrusion, the infiltration over the 2013 holiday season infiltration brought the issue into mainstream conversation. The exposure of 40 million customers’ payment card data was a gobsmacking figure at the time and made those victims easy targets for fraud.

Consequences: A Target executive appeared on Capitol Hill within weeks, and lawmakers re-upped dormant proposals to require timely breach notification for victims. Lawmakers on both sides of the aisle expressed an interest in such an idea.

“This might provide the chance to take action quickly,” said Iowa Sen. Chuck Grassley, then the top Republican on the Judiciary Committee.

Some Democrats also pushed for a law that would instruct the FTC to write nationwide digital security standards for companies handling sensitive data.

Nothing ultimately happened in Congress.

However, CEO Gregg Steinhafel resigned several months later, in part due to the breach. Target agreed in 2015 to pay affected banks $39.4 million to cover their expenses and struck a deal with Visa to give $67 million to credit card companies’ victimized customers. A class action settlement is still pending.

In total, Target has said it spent over $200 million recovering from the breach.

HOME DEPOT

When: Occurred and discovered in 2014

How many people affected: 56 million

Why it mattered: This theft of credit card data showed the public that Target was far from unique, and set the record at the time for the largest retail card breach ever. Ensuing news reports revealed that the home improvement giant had ignored years of warnings from its own computer experts that its systems were vulnerable.

Consequences: Capitol Hill went through the same motions: outrage, a demand for testimony and a vow to change things.

“I do sincerely believe that is an achievable goal,” said Rep. Michael Burgess (R-Texas), then the chairman of the House Subcommittee on Commerce, Manufacturing and Trade, at a January 2015 hearing. The hearing followed both the Home Depot breach and a leak at banking giant JPMorgan Chase that compromised 83 million accounts.

But nothing much happened.

The company’s business didn’t even suffer significantly, with sales remaining in line with expectations the month the breach was announced. Home Depot also didn’t change its expectations for sales growth for fiscal 2014. And despite a brief dip in stock price after the breach was revealed, Home Depot’s stock price is nearly double today what it was in late 2014.

Like Target, the company has had to settle a variety of lawsuits, agreeing in 2016 to pay at least $19.5 million to victims and doling out $25 million to banks last year. In total, the company says the breach has cost it at least $179 million.

U.S. OFFICE OF PERSONNEL MANAGEMENT

When: Occurred in 2014, discovered in 2015

How many people affected: 22 million

Why it mattered: This breach, blamed on Chinese hackers, exposed some of the government’s most sensitive documents — the detailed questionnaires used to process security clearances for more than 20 million current and former federal employees and applicants. It also included personnel files on every federal worker and was a huge espionage victory for Beijing.

Security clearance applications are exhaustive, including 127 pages of details on people’s most closely held secrets, such as affairs, drug and alcohol abuse or bankruptcies. Intelligence professionals say they are a treasure trove for blackmail and can be used to identify undercover American agents, especially when cross-referenced with data like airline travel logs, which Chinese hackers are also suspected of stealing.

Consequences: The OPM breach could be considered the one digital privacy scare that led to serious ramifications and concrete action.

Within weeks, then-OPM Director Katherine Archuleta stepped down after running a gantlet of Capitol Hill hearings where lawmakers admonished her handling of the agency’s digital security practices. Months later, the agency’s chief information officer resigned under pressure from Congress.

And the incident led to a broad overhaul of the government's security clearance process, which put the Defense Department in charge of protecting the background check forms.

Meanwhile, lawmakers revived a long-stalled proposal to offer incentives for companies to share more data on hacking threats with the government. By December 2015, just six months after OPM revealed the breach, the legislation became law. It was the first major cybersecurity bill Congress had approved in years — and, so far, it’s the last one.