Skip to main content

Sony, Legislators Agree Fed Data Security/Notification Bill Needed

A Sony executive told Congress Thursday the company would welcome a federal law on data security and notification, one that would supersede 46 state laws on the subject.

Sony and e-mail company Epsilon were on the hot seats in a House Commerce subcommittee hearing Thursday about online data breaches at both companies and the need for a federal standard for protecting data and notifying Web users when those protections are breached.

Subcommittee Chair Mary Bono Mack (R-Calif.) said she was working on legislation that would set that federal standard. It would include requiring companies that hold personal information to establish security procedures for protecting it; establish even more robust security for certain classes of especially sensitive information, like credit card numbers; and require prompt notification when someone's personal information has been jeopardized.

Bono Mack, seconded by members on both sides of the aisle, said the government needed to take decisive action on a uniform standard. She said that companies have a responsibility to protect personal information, but that lawmakers need to make sure that is going to happen.

Ranking subcommittee member G.K Butterfield (D-N.C.) said he was ready to work with Bono Mack on a strong, bipartisan bill. Businesses must do everything they can to protect the shopping, bill-paying, entertainment, and communications that is all being done online and the information that is being shared. He pointed to the 46 state laws on breach notification, but said there needed to be a federal standard, without which he said consumers would continue to be exposed.

He pointed out that former Subcommittee Chair Bobby Rush (D-Ill.) had proposed a data security bill that passed the House and stalled in the Senate. He said that would be a good foundation for a new effort to give online consumers piece of mind and help boost e-commerce by making people more comfortable with such transactions.

Sony PlayStation network exec Tim Schaaff, who was a witness at the hearing, said that it was easy to focus on Sony, but everyone was building networks out of the same basic ingredients and that there could be weaknesses at vendors they were building their products from. He said that without some data security assistance from government, the internet economy was going to be in a "world of hurt," and that Sony strongly supported a federal standard and would be glad to work with Congress on developing it. He quantified Sony's particular world of hurt with the recent data breach, estimating the cost to Sony at $170 million.

Just how promptly Sony had informed its online PlayStation Network customers about the data breach affecting some 77 million accounts was a topic of much discussion at the hearing.

Bono Mack, who called Sony "ground zero" in the war to protect online information, said she was concerned that Sony did not have more robust protections in place before the attacks and said she was troubled by the length of time it took to tell users about the breach, and that the first notification was on the Play Station blog.

Schaaff said that the company did have protections in place, just insufficient to deal with what he called an attack unprecedented in its size and scope. He said that the blog was the fastest and most effective way of letting users know that a breach had occurred, which notification came only two days after the company had determined there was "credible" evidence of the breach. He pointed out that the blog was a popular place for users to get info about the network, and was just behind the White House in activity among web blogs.

Sony did not warn customers that their credit card info might have been breached until April 26, seven days after they first noticed something fishy (or "phishy" as the case may be) with the network. That time lapse was criticized by several legislators at the hearing. Schaff said that they were trying to strike a balance between "giving people the information they need, when they need it," and "sounding false alarms or so many alarms that these warnings are ignored."

Given that Sony subsequently has found no evidence that credit card #'s were taken, he said they still debated whether they should have waited rather than issuing the April 26 public notice that the numbers might have been compromised.

Schaff pointed out that Sony had plenty of high-profile company in being the subject of successful hacks, citing cyber attacks Lockheed Martin and the Oak Ridge National Laboratory--the latter which "helps secure the nation's energy grid"--in the last two months. "As frustrating as the loss of networks for playing games was for our customers," he said. "The consequences of cyber attacks against financial or defense institutions can be devastating for our economy and security."

Schaff said the company supported legislation that would: "(1) provide consumers the assurance that if and when their personal data is compromised, they will receive timely, meaningful and accurate notice of this fact; (2) ensure that consumers receive helpful information on what measures they can take to mitigate any potential harm; and (3) provide uniformity so consumers are treated equally no matter what state they live in and businesses no longer have to navigate varying and sometimes seemingly conflicting state laws in this field."