WASHINGTON, June 3, 2011 – The House Subcommittee on Commerce, Manufacturing and Trade met on Thursday to learn the lessons from recent large-scale customer data breaches at Sony and Epsilon.
The hearing examined the risks of the unprecedented data breaches, which Rep. Mary Bono Mack (R-CA), Chair of the subcommittee, called a ‘ground zero’ for cyber attacks. Other members of the subcommittee also assessed current investigation efforts by those companies, and gathered input and support to craft new data breach legislation.
Bono Mack, along with Rep. Henry Waxman (D-CA), and other members of the subcommittee, used the hearing to consider measures for the first phase of broader privacy legislation.
The breaches at Sony and Epsilon are the two largest in what has been a string of recent virtual break-ins at companies internationally. Google announced the breach of several hundred personal Gmail accounts - including those of several senior U.S. government officials, military personnel and political activists - a day prior to the hearing.
Bono Mack is not the first to attempt to draft data breach legislation. Waxman, in an opening statement to the subcommittee, urged Congress to pass the Data Accountability and Trust Act, from the 111th Congress.
During comments she made after the hearing, however, Bono Mack emphasized that the increased sophistication of hackers and their support from organized crime, along with the increased consumer reliance upon cloud-based technologies necessitates new legislative action.
“You don’t want to reinvent the entire wheel, and you never want legislation that’s going to stifle the growth of the Internet,” said Bono Mack, “but the world has changed in the past two and four years.”
While 45 U.S. states and territories have data breach laws in place, companies expressed their frustration that current state data breach notification laws only create confusion and unnecessary burdens on consumers and businesses.
“A uniform national law would provide predictability and equity for consumers, regardless of their state of residence, and would make it easier and less costly for businesses to ensure any applicable notification requirements are met,” said Jeanette Fitzgerald, General Counsel for Epsilon Data Management, LLC. “
Republicans and Democrats alike emphasized the bi-partisan nature of the legislative action being considered. While there is no certain date for when legislation can be expected, the recent breaches stressed need for action.
“I’d rather get it right, and create something that’s going to move and become law,” said Bono Mack.
“Data security is not a partisan issue,” said Waxman. “It is an issue that affects all of us because sooner or later everyone is vulnerable to cyber attacks: private sector companies of all sizes; federal, state, and local governments; and the American public.”
Between April 19 and May 25 of this year, Sony reported five major data security breaches affecting over 100 million of its account holders in North America, Europe, and Japan. Sony denied that customers' personal financial information were compromised. Sony’s investigations, however, confirmed that hackers accessed names, email addresses, passwords, physical addresses, and birthdates.
On April 1, Epsilon announced that a criminal intrusion into its systems affected an estimated 60 million email accounts. Internal investigations conducted in conjunction with the Secret Service and FBI determined that hackers had accessed only email addresses and customer names.
Members, while pleased with the aggressive action that both companies took to address the issue, expressed frustration with Sony for its methods in which it chose to announce the breaches to its customers.
Along with sending out 77 million emails, Tim Schaaff, President of Sony Network Entertainment International, said that Sony also notified its account holders by way of the company’s blog.
In a follow up email after the hearing, Patrick Seybold, Senior Director of Corporate Communications & Social Media of Sony Computer Entertainment & Sony Network Entertainment, explained the company chose to utilize its blog to announce the breach due to the blog’s high ranking on Technorati, a website that measures the influence, reach, and authority of blogs.
“During the crisis, the Playstation blog was [ranked] 19th, just behind the White House blog the day after they announced the news on Osama Bin Laden. It is now currently the number-31 blog on the internet, on all topics,” said Seybold.
Sony also waited several days before notifying its customers of the breach. Epsilon notified its customers and relevant Federal authorities immediately.
Bono Mack stressed in her opening statement, however, that the hearing was not about pointing fingers, but about finding solutions to protect the American consumer. She reiterated these same sentiments during further comments after the hearing. The congresswoman stressed the need for companies to institute faster customer notification times when a data security breach occurs.
“The consumer needs to be empowered to protect themselves. If they think their credit cards were hacked, they should call their banks.”