Welcome to Hillicon Valley, The Hill’s newsletter detailing all you need to know about the tech and cyber news from Capitol Hill to Silicon Valley. If you don’t already, be sure to sign up for our newsletter with this LINK.
Welcome! Follow the cyber team, Olivia Beavers (@olivia_beavers) and Maggie Miller (@magmill95), and the tech team, Harper Neidig (@hneidig) and Emily Birnbaum (@birnbaum_e).
REMEMBER EQUIFAX? Equifax will pay $575 million in fines for the massive 2017 data breach that exposed sensitive information for 147 million people.
The sum is part of a settlement announced Monday morning with 50 U.S. attorneys general, the Federal Trade Commission (FTC) and the Consumer Financial Protection Bureau (CFPB).
The settlement requires Equifax to pay $300 million to a compensation fund for victims of the breach and could end up paying an additional $125 million if the fund runs out — meaning the company could end up paying as much as $700 million.{mosads}
Equifax will also pay $175 million to a coalition of 50 states and territories, as well as $100 million to the CFPB.
“Equifax failed in its fundamental responsibility to safeguard consumers’ sensitive financial information,” Pennsylvania Attorney General Josh Shapiro (D) said in a statement. “Equifax knew that there were serious flaws in their system, but still they did not take appropriate steps to fix it. They left their system vulnerable to the biggest data breach in history and the financial futures of millions of Americans were put at risk–and it was entirely preventable.”
Attorneys general from 48 states, Washington, D.C., and Puerto Rico were involved in the settlement.
More than fines: The fines come nearly two years after Equifax first announced the breach in September 2017. Since then, the company has been dragged before Congress numerous times to explain its handling of the incident, which compromised Social Security numbers, names, dates of birth and home addresses.
The agreement outlined in the FTC’s complaint with a federal court in Georgia faults Equifax for failing to “provide reasonable security for the massive quantities of sensitive personal information stored within Defendant’s computer network.”
The settlement will require Equifax to implement a stronger cybersecurity program and submit to annual assessments of its protections. And starting in 2020 it will also have to provide consumers with six free credit reports a year for the next seven years.
Read more on the terms of the settlement here.
But many are not happy with the deal: Lawmakers and industry officials are criticizing the settlement between regulators and credit agency Equifax, claiming the potentially $700 million penalty is not enough for the 2017 data breach that exposed the personal information of around 147 million Americans.
Critics also are turning their ire toward Congress, arguing the penalty could have been steeper if the U.S. had a comprehensive privacy law in place.
“[The settlement] shows that we need a comprehensive data privacy and security law to ensure companies are designing their systems to protect consumer privacy from the start, minimizing the personal information they keep, and are held appropriately accountable if they fail,” House Energy and Commerce Committee Chairman Frank Pallone Jr. (D-N.J.) said in a statement on Monday.
“If we had the comprehensive privacy statute … the authorities would be clear, we’d have a clear way to proceed and then we wouldn’t have an extensive negotiation to try to figure out what sort of remedies the agencies could impose,” Harold Feld, senior vice president of consumer group Public Knowledge, told The Hill.
Pressure on Congress: Following the initial breach in 2017, Congress stepped in to investigate the incident, with multiple hearings from various committees. Multiple congressional reports concluded that Equifax ignored vulnerabilities in its system that led to the hack and failed to take adequate action in its aftermath.
But broader efforts to pass federal privacy legislation have stalled in both chambers.
A plea for more help: During a press conference Monday, FTC officials said they need greater civil penalty authority to respond to incidents such as the Equifax breach, with FTC Chairman Joseph Simons urging Congress to pass data privacy legislation.
“I think we could create a lot more deterrence if we got civil penalty authority, and that is what we are asking for,” Simons said.
More on the criticism at the deal and what’s next here.
MICROSOFT SETTLES BRIBERY CASE: Microsoft on Monday agreed to pay more than $25 million to settle a case alleging the software giant violated a federal anti-bribery law, according to the Department of Justice (DOJ).
The company will pay the fees, including an $8.75 million criminal fine imposed on its Microsoft Hungary unit and over $16 million to the Securities and Exchange Commission (SEC), to settle the charges.
Microsoft Hungary, a wholly-owned subsidiary of Microsoft, admitted that it participated in a scheme between 2013 and 2015 to inflate margins on software sales and ultimately use the savings for “corrupt purposes,” according to the DOJ.
“According to Microsoft Hungary’s admissions, beginning by at least 2013 and continuing until at least 2015, a senior executive and other employees of Microsoft Hungary participated in a scheme to inflate margins in the Microsoft sales channel in connection with the sale of Microsoft software licenses to Hungarian government agencies,” the DOJ statement reads.
“In furtherance of that scheme, Microsoft Hungary executives and employees falsely represented to Microsoft that steep discounts were necessary to conclude deals with resellers who bid for the opportunity to sell Microsoft licenses to government customers,” it adds. “In actuality, the savings were not passed on to the government customers, but instead were used for corrupt purposes and were falsely recorded as ‘discounts.’ “
The savings were stored on Microsoft servers in the U.S., violating the Foreign Corrupt Practices Act, a 1977 law that prohibits U.S. companies from paying bribes to foreign officials to sweeten business deals.
ELECTION SECURITY TAKES A BACKSEAT: This week’s much-anticipated hearing with former special counsel Robert Mueller promises to be full of high political drama. But election security — a key focus of the Mueller report — isn’t likely to garner much attention from lawmakers.
Mueller is scheduled to testify before the House Judiciary and Intelligence committees in back-to-back hearings Wednesday to discuss the findings of his 448-page report on Russian interference in the 2016 presidential election.
The first volume of the report was devoted to Russian efforts to interfere in the elections through social media and hacking operations, with Mueller later emphasizing in rare public remarks that election security is an issue that “deserves the attention of every American.”
Members of the House Intelligence Committee, which published its own report on Russian interference in the 2016 elections, are not expected to focus many of their questions on the topic when Mueller testifies.
A committee spokesperson declined to comment on whether Chairman Adam Schiff (D-Calif.) planned to question Mueller on election security but noted that Schiff plans to hold an “open election security hearing with relevant public officials following the August recess.”
Some members of the House Intelligence and Judiciary committees expressed a keen interest in pursuing the issue of election security but indicated it will not be a priority during the hearing.
Rep. Val Demings (D-Fla.), a member of both committees, told The Hill recently that she “really wished we had time” to discuss election security, citing “loose ends.” But she added that “we’re going to be focused specifically on his investigation and his report, more about meetings the Trump campaign or the administration had with Russian officials, the president obstructing justice, and the conclusions about not exonerating the president.”
Rep. Cedric Richmond (D-La.), chairman of the House Homeland Security cybersecurity subcommittee and a member of the Judiciary Committee, told The Hill that he did not plan to question Mueller on the topic as he thought “that part of the report is sufficiently detailed.”
BUT HOW IS THE COVERAGE? Chinese telecommunications giant Huawei secretly helped the North Korean government build and maintain a wireless network, The Washington Post reported Monday.
Internal documents obtained by the outlet show Huawei worked with Chinese state-owned firm Panda International Information Technology for at least eight years on a variety of projects.
The partnership reportedly makes it difficult to discern Huawei’s involvement in the projects.
A former Huawei employee shared detailed spreadsheets, telling the Post that the information is of public interest. Others shared past work orders and contracts.
Taken together, the documents raise concern that Huawei, which has used American technology in its products, violated U.S. export controls to furnish equipment to North Korea.
The Commerce Department, which declined to comment to The Hill, has been investigating alleged links between Huawei and North Korea since 2016, according to the Post.
Huawei also did not immediately respond to an inquiry from The Hill but told the Post it “has no business presence” in North Korea.
“Huawei is fully committed to comply with all applicable laws and regulations in the countries and regions where we operate, including all export control and sanction laws and regulations” of the United Nations, United States and European Union, the company told the Post.
AN OP-ED TO CHEW ON: Congress can — and should — modernize today.
A LIGHTER CLICK: The world’s worst CPAP machine.
NOTABLE LINKS FROM AROUND THE WEB:
What it really means when Congress talks about regulating Big Tech. (Fast Company)
Delivery apps like DoorDash are using your tips to pay workers’ wages. (The Verge)
Microsoft invests $1 billion in artificial intelligence project co-founded by Elon Musk. (CNBC)
Equifax will set aside up to $425 million for data-breach victims. Getting a share of the payout could be tricky. (The Washington Post)