Sony, Epsilon Back National Data Protection Law
Sony and Epsilon support a federal standard for data breach consumer notification, both said at a hearing Thursday of the House Commerce Subcommittee on Manufacturing. Chair Mary Bono Mack, R-Calif., said her upcoming data breach bill will include such a standard, among other consumer protections. Bono Mack criticized Sony and Epsilon but said it’s time to stop pointing fingers. “Instead, let’s point the way -- a better, smarter way -- to protect American consumers online.”
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
Sony has difficulty complying with the many, often conflicting state laws on when to notify consumers after a data breach, said Sony Network Entertainment President Tim Schaaff. Epsilon Assistant General Counsel Jeanette Fitzgerald said one uniform law would provide more predictability for consumers. However, Schaaff cautioned Congress about the dangers of rushing notification. “Laws and common sense provide for companies to investigate breaches, gather the facts and then report data losses publicly,” Schaaff said: “If you reverse that order, issuing vague or speculative statements before you have the specific and reliable information, you either send false alarms or so many alarms” that they are ignored.
Data security legislation should be guided by three principles, Bono Mack said. First, entities that hold personal information must have security policies to prevent unauthorized taking of data. Second, credit card numbers and other “especially sensitive” data should have even stronger safeguards. And third, “consumers should be promptly informed when their personal information has been jeopardized."
"Without a federal standard I am concerned that American consumers remain largely exposed online,” said Ranking Member G.K. Butterfield, D-N.C. He supported the DATA Act introduced last year by Rep. Bobby Rush, D-Ill. “No company is safe from attack, and we must always operate at a heightened level of vigilance,” Butterfield said. Companies should “do all they can” to keep consumers’ data from “falling in the wrong hands,” he said. Full committee Ranking Member Henry Waxman, D-Calif., said “recent attacks on Sony, Epsilon, and now Gmail are proof that it is indeed time to legislate."
Bono Mack and several other members asked why Sony took days to notify consumers about its breach. “If we had responded earlier, it would probably have been irresponsible,” Schaaff said. He also defended posting the notification on the Sony blog, another issue raised by several subcommittee members. The Sony blog is “just behind” the White House blog in popularity, “and we know it’s a good way to get a message out to customers quickly,” Schaaff said. Sony “followed up with public announcements through other channels” and direct email to customers, he said.
Epsilon notified its customers -- large U.S. corporations -- on the same day as the breach, Fitzgerald said. Epsilon’s initial investigation with the U.S. Secret Service confirmed that “only email addresses and in some cases first and last names were affected,” Fitzgerald said. Sony still doesn’t believe credit card data was taken, Schaaff said. Asked how certain he was, Schaaff said there was “no clear evidence that there was any access” to credit card information, Schaaff said.
Bono Mack asked why Sony hadn’t already protected its network with the safeguards the company announced after the breach. Sony thought its security was “very, very strong and we felt that we were in good shape,” Schaaff said. But the attack on Sony’s network was worse than anything it had prepared for, he said. Schaaff denied claims that Sony’s Apache servers were not fully patched and up to date. The company also had “several layers of firewalls in place,” he said. Credit card data was encrypted, and login/password data was protected with “cryptographic hash functions,” he said.
Rep. Cliff Stearns, R-Fla., asked if Sony regretted its lawsuit against PS3 hackers, which led to retribution attacks on the Sony network. “I think we made the right decision,” Schaaff said. “It appears to have had some fairly negative consequences for the company. But if we hadn’t done something I think it would be playing out in a different company later on."
After the hearing, Bono Mack said she was satisfied by Sony’s answers, and would start staff legislative discussions with subcommittee Democrats later in the afternoon. No more hearings are planned until a legislative discussion draft is ready, but she will send the company additional questions, she said. Bono Mack said she’s not sure about a time limit for notification in the bill, but she thinks it needs to be shorter than the 60-day standard proposed by some others. Bono Mack still has concerns about Sony using its blog to notify consumers, even if it is widely read, she said.
Bono Mack’s bill is competing with two other data protection bills by previous chairmen of the subcommittee. Stearns has a bill (HR-1841) based on data protection legislation he introduced in the 109th Congress, while Rush has reintroduced (HR-1707) his own data bill from the 111th. “Every new chairman must have to wrestle with this,” Bono Mack said. “You don’t want to reinvent the entire wheel, but the world has changed in two years and in four years."
Bono Mack is looking at privacy legislation separately from the data protection bill, she said. “You should assume there will be” a broader privacy bill, she said. It should move separately because privacy is a “much more complicated” issue, she said. After dealing with data protection, Bono Mack will likely move to privacy legislation this fall, a spokesman said.