Recap: Lessons for Data Security Legislation

On June 2, 2011, the House Commerce Committee's Subcommittee on Commerce, Manufacturing, and Trade held a hearing entitled “Sony and Epsilon: Lessons for Data Security Legislation.” The purpose of the hearing was to examine the risks of the recent historic data breaches at Epsilon and Sony and the state of the ongoing investigations into each incident. The Subcommittee is chaired by Rep Mary Bono Mack (R-CA).

Epsilon Data Management is a business-to-business marketing services firm that manages email marketing campaigns for approximately 2500 companies. On April 1, 2011, Epsilon announced a criminal intrusion into their servers. While Epsilon initially estimated 50 of its corporate customers were affected, more recent media reports indicate the breach impacted about 75 of those firms (approximately 3 percent of their customers).

Sony announced on April 22, 2011, that an intrusion had occurred on April 19, affecting 77 million accounts. Intruders gained access to personal information such as name, email address, passwords, physical address, and birthdates. After reportedly patching the security hole and having determined what information was accessed, Sony began notifying the holders of the 77 million accounts on April 26, 2011. Due to the sheer number of accounts affected, Sony did not complete notification until 6 days after the notice began. Sony resumed its PlayStation Network operations to North America and Europe on May 15, and it restored access to Japan on May 27. On May 2, 2011, Sony announced what appeared to be a related breach of its Sony Online Entertainment network. On May 1, 2011, Sony discovered intruders gained access to nearly 25 million users’ information in approximately mid-April. That breach involved access to name, address, email addresses, birthdates, gender, phone number, and login name and password. On May 21, Sony reported a breach of So-Net Entertainment Corp, an ISP service in Japan. That intruder gained access to 90 of its users’ email accounts in addition to compromising the rewards points accounts of approximately 200 accounts. Last week, Sony announced yet another two breaches.

Chairman Bono Mack said, "I believe the lessons learned from the Sony and Epsilon experiences can be instructive. How did these breaches occur? What steps are being taken to prevent future breaches? What’s being done to mitigate the effects of these breaches? And what policies should be in place to better protect American consumers in the future? Most importantly, consumers have a right to know when their personal information has been compromised, and companies have an overriding responsibility to promptly alert them. These recent data breaches only reinforce my long-held belief that much more needs to be done to protect sensitive consumer information. Americans need additional safeguards to prevent identity theft, and I will soon introduce legislation designed to accomplish this goal. My legislation will be crafted around three guiding principles:
First, companies and entities that hold personal information must establish and maintain security policies to prevent the unauthorized acquisition of that data;
Second, information considered especially sensitive, such as credit card numbers, should have even more robust security safeguards;
And finally, consumers should be promptly informed when their personal information has been jeopardized."

Top executives from Sony and Epsilon said that they support federal legislation that would require companies to promptly notify consumers if their personal information is stolen or exposed by a data breach. Chairman Bono Mack plans to introduce legislation that would require companies that hold consumer data to put in place security measures to protect that information, with even stronger safeguards for sensitive data such as credit card numbers. Her bill would also require companies to promptly notify consumers if that data has been compromised.