Sony, Epsilon Testify Before Congress
Breaches Prompt Call for National Breach Notification LegislationBoth breaches are believed to have exposed personal identifiable information on millions of consumers, making them susceptible to phishing attacks and other malicious schemes perpetrated by hackers.
On June 2, the Subcommittee on Commerce, Manufacturing and Trade, part of the House of Representatives Energy & Commerce Committee, heard from Sony and Epsilon. Both companies, which had declined to appear before the committee last month, say they support national legislation for data security and breach notification.
"We've been reminded that no one is immune to a cyberattack. We believe the attack on us was unprecedented in size and scope," said Tim Schaaff, president of Sony Network Entertainment International, a division of Sony. "We look forward to a national initiative that protects consumers."
The Sony hack, discovered April 19, is believed to have affected at least 77 million online PlayStation Network gamers. An additional 8,500 user accounts, part of Sony Music Entertainment, were later reported by Sony to be impacted as well.
During Thursday's hearing, Subcommittee Chairwoman Mary Bono Mack, R-Calif., called the Sony breach the "Ground Zero" of cyberattacks.
"More than 100 million consumers were exposed to attacks as a result of the breach," Bono Mack said. "Protocols at Sony have been put in place since the attack; but why did the company not have those safety precautions in effect before? I also have concerns about how long it took Sony to notify consumers."
Bono Mack, who plans to introduce legislation that would call for a national data breach notification system, says companies like Sony and Epsilon must be required to enhance security measures used to protect "sensitive" data and promptly notify consumers after a breach.
Committee representatives overall were critical of both Sony and Epsilon for not notifying consumers sooner once cyber intrusions were detected.
"1.5 billion credit cards are now in use in the United States, and more and more consumers are shopping online," Bono Mack said. "The Federal Trade Commission estimates that 9 million Americans fall victim to identity theft every year. And numbers are growing steadily and alarmingly. Cyberattacks against consumers to get credit card information are a problem in the United States and around the world. The boldness of these attacks was underscored recently by massive breaches at Epsilon and Sony."
Patchwork of State Notification Laws
Constituents want more inclusive and prompt notification, and pointing to the June 1 revelation of the China-based hackers that hit Google, Rep. Pete Olson, R-Texas, said, "It's clear there is a need for [federal] legislation.""As we learned this morning, after Google was hacked, there is a need for government, businesses and citizens to work together to protect sensitive information," and more uniformity is required.
More than 40 states currently have breach notification laws on the books, but varying notification requirements across state lines have made corporate compliance difficult. Jeanette Fitzgerald, general legal counsel of Epsilon Data Management LLC, who appeared before the subcommittee, says uniformity in breach notification would benefit consumers and business. "Working with various notification laws from different states is confusing," she says.
That sentiment was echoed by Schaaff. "My understanding is that the difference between the various state laws makes notification difficult," he said. "Without the cooperation of the federal government, I don't think we will be able to work together" toward a collective solution.
Epsilon's immediate notification of its 50 customers after its breach was not praised, but definitely took fewer arrows than Sony's notification, which occurred seven days after the intrusion was detected. The subcommittee also criticized Sony for relying so heavily on its blog for the dissemination of information to consumers.
But Schaaff said Sony stands behind its use of the blog, as well as its decision to wait to notify consumers until it had sufficient details about the breach. "We also ask that any legislation consider that notification to consumers should not take place until companies have definitive information to share."