On June 2, 2011, the House Energy and Commerce Subcommittee on Commerce, Manufacturing and Trade held a hearing examining threats to data security and historic data breaches at Sony and Epsilon. The hearing, "Sony and Epsilon: Lessons for Data Security Legislation" focused on the recent Epsilon and Sony data breaches and the need for comprehensive federal data security and data breach notification legislation. The representatives and witnesses discussed the delays in Sony's notification, the extent of the breaches and the prospect for federal legislation.
In attendance at the hearing were Subcommittee Chairwoman Rep. Mary Bono Mack (R-CA), Ranking Member Rep. G.K. Butterfield (D-NC), Rep. Cliff Stearns (R-FL), Rep. Brett Guthrie (R-KY), Rep. Gregg Harper (R-MS), and Rep. Pete Olson (R-TX). Tim Schaaff, President of Sony Network Entertainment International, and Jeanette Fitzgerald, General Counsel for Epsilon Data Management LLC, each testified.
Sony and Epsilon Data Breaches
By way of background, on April 1, 2011, Epsilon Data Management, an email marketing company, announced on its website unauthorized access to their servers, exposing consumer names and email addresses to hackers. The breach affected 75 of Epsilon's business customers, including Best Buy, Capitol One, Kroger, Target and Verizon, ultimately affecting more than 60 million consumers. A few weeks later, on April 22, 2011 Sony's PlayStation Network announced that a data breach occurred on April 19, 2011, exposing names, email addresses, passwords, physical addresses and birthdates of over 77 million consumers. A little over a week later, on May 2, 2011, Sony announced that on May 1, 2011 its Online Entertainment network was breached, exposing personal information on over 25 million consumers. These high-profile data breaches prompted an ongoing Congressional inquiry in the form of a series of letters from Chairwoman Bono Mack and Ranking Member Butterfield to Sony and Epsilon leading up to the June 2nd hearing. In the immediate wake of their data breaches, Sony and Epsilon declined to testify at a May 4, 2011 Subcommittee hearing on data theft and data security.
Lessons Learned for Federal Data Breach Legislation
On June 2, 2011, the Subcommittee finally had the opportunity to question Sony and Epsilon under oath. Rep. Bono Mack's opened by noting that for her the "most troubling" aspect of the Sony data breach was the time it took for Sony to notify consumers and the way Sony initially notified consumers through a blog posting. Representatives Bono Mack, Butterfield and Harper pressed Sony on why it took so long to notify consumers of the breach. Sony initially notified PlayStation users on April 22 via blog post, only later on April 26 notifying users by direct email notice (which took several days to complete). Mr. Schaaff testified that it took Sony time to identify that a breach occurred, noting that Sony thought it would be "irresponsible" to notify consumers with inaccurate information as Sony investigated the full extent of the breach. Rep. Bono Mack was concerned that Sony's initial notice via blog post placed the burden on consumers to learn that a breach occurred. Mr. Schaaff defended this action because its blog was popular source of information for PlayStation users and that Sony did follow-up by notifying users with more detailed information by direct email and public announcements, once it had more complete information. Further, Sony responded by providing its customers with free credit monitoring.
The representatives also inquired on the extent of the damage caused by the data breaches. Rep. Butterfield pressed Mr. Schaaff on whether credit card information for PlayStation users was breached. Mr. Schaaff testified that there is no evidence in its database logs to suggest that that credit card information was accessed and, further, that credit card information was encrypted in line with industry practices. In response to a question from Rep. Stearns, Ms. Fitzgerald indicated that Epsilon's breach exposed information on millions of Verizon's customers, a client of Epsilon's. Epsilon only notified its business customers such as Verizon, not the consumers whose information was jeopardized. In response to a question from Rep. Guthrie, Mr. Schaaff estimated that the data breach would cost Sony around $170 million.
The representatives asked Sony and Epsilon representatives about their thoughts on Federal data breach legislation. In response to a question from Rep. Guthrie, Mr. Schaaff noted the burdens imposed on companies to comply with often conflicting state notification requirements. Mr. Schaaff and Ms. Fitzgerald supported a federal data breach notification law that would preempt state laws, including specifications on who companies need to notify and when they need to notify.
At the hearing, Rep. Bono Mack called for a "uniform national standard" for data security and data breach notification, announcing her intent to introduce legislation based on "three guiding principles," including:
- Companies that maintain personal information must have security policies in place to prevent unauthorized access to sensitive data;
- Especially sensitive data, such as credit card numbers, must have more robust safeguards; and
- 3. Consumers must be promptly notified of data breaches.
Congressional Data Security and Privacy Initiative
The hearing is part of a comprehensive review of data security and electronic privacy initiated by the House Energy and Commerce Committee that was announced on June 1, 2011. According to the Committee press release, the first phase of the Committee's review will focus on online data security and data theft prevention, followed later in the year by a focus on broader electronic privacy concerns. Data security and data privacy legislation has been gaining traction in Congress. Most recently, Rep. Bobby Rush (D-IL) introduced the Data Accountability and Trust Act, which would require data security policies and mandate national consumer data breach notification. There also has been a flurry of activity on the data privacy front with a number of bills circulating on Capitol Hill, including Rep. Stearns' and Rep. Jim Matheson's (D-UT) Consumer Privacy Protection Act of 2011, Rep. Rush's BEST PRACTICES Act, Rep. Jackie Speier's (D-CA) Do Not Track Me Online Act and Senators John Kerry's (D-MA) and John McCain's (R-AZ) Commercial Privacy Bill of Rights Act of 2011.
In the wake of historic data breaches at Sony and Epsilon, companies are reminded of the increasing need to exercise the utmost due diligence in the collection and retention of sensitive data. On June 2, 2011, the same day Sony testified at the hearing, hackers claimed responsibility for yet another data breach at Sony, purportedly accessing personal information on some 52,000 Sony customers. But Sony and Epsilon are not alone. Mr. Schaaff asserted that data breach issues discussed at the hearing apply to everyone because all networks are built out of the same basic components. The hearing built on the growing record in Congress supporting data security and data breach notification legislation that could ultimately supersede the patchwork of state laws.