Top executives from Sony and online marketing firm Epsilon told lawmakers Thursday that they support federal legislation that would require companies to promptly notify consumers if their personal information is stolen or exposed by a data breach.
Testifying at a House Commerce subcommittee hearing, the executives expressed support for national legislation to pre-empt a patchwork of varied state laws.
The House Commerce Subcommittee on Commerce, Manufacturing and Trade held Thursday's hearing after high-profile breaches at the two companies in recent months exposed personal information belonging to millions of consumers, including credit card numbers in the case of the Sony breach.
Sony Corp., in particular, is facing questions about why it did not inform consumers more quickly after a massive cyber-attack targeted credit card information through its popular PlayStation Network and its Sony Online Entertainment network, compromising more than 100 million user accounts.
Although Sony began investigating unusual activity on the PlayStation network on April 19, the company did not issue a public notice and begin emailing customers to alert them that their personal information had been taken until April 26. But Tim Schaaff, president of Sony Network Entertainment International, stressed in his testimony Thursday that Sony used a blog post to notify PlayStation Network customers that an intrusion had occurred as early as April 22.
Schaaff added that he believes the company struck the right balance by waiting until it had more information before informing consumers.
"Laws — and common sense — provide for companies to investigate breaches, gather the facts, and then report data losses publicly," he said. "If you reverse that order — issuing vague or speculative statements before you have specific and reliable information — you either confuse and panic people, without giving them useful facts, or you bombard them with so many announcements that they become background noise."
Still, Rep. Mary Bono Mack criticized the company's handling of the matter. "In effect, Sony put the burden on consumers to search for information instead of providing it to them directly," said Bono Mack, who chairs the Subcommittee on Commerce, Manufacturing and Trade. "That cannot happen again."
Bono Mack plans to introduce legislation that would require companies that hold consumer data to put in place security measures to protect that information, with even stronger safeguards for sensitive data such as credit card numbers. Her bill would also require companies to promptly notify consumers if that data has been compromised.
The cyber-attack targeting Sony was the second big data breach to grab headlines in recent months. Sony's problems came on the heels of a huge breach at Epsilon, a unit of Alliance Data Systems Corp. that handles email marketing campaigns for major banks, hotels and stores. Epsilon's customers include Citigroup Inc., JPMorgan Chase & Co., Best Buy Co. Inc., the Kroger Co. grocery chain, Walgreen Co.'s drugstores and the Hilton and Marriott International Inc. hotel chains.
The hack into its systems resulted in the theft of potentially millions of email addresses, and in some cases customer names, that Epsilon Data Management LLC maintained on behalf of its clients. Although email addresses by themselves are of little use to criminals, they can be used in so-called "phishing" attacks. Such attacks trick consumers into revealing passwords, social security numbers and other sensitive data by sending them emails that appear to come from companies that they already patronize.
In her testimony Thursday, Jeanette Fitzgerald, general counsel of Epsilon said the company acted quickly to launch an investigation, notify law enforcement and contact its clients as soon as a company employee detected suspicious activity on March 30. She added that the company tried to address consumer concerns by providing information on its Website on April 1 and again on April 6, and by establishing a response center to answer questions from consumers and corporate clients.
Sony, too, has been working with law enforcement authorities to investigate the breaches that infiltrated its systems. And on Thursday, Sony said it is fully restoring its PlayStation Network in the U.S., Europe and parts of Asia after the attacks forced the company to shut the system down.