Executives who contended with massive data breaches at two companies—Sony and Epsilon—agreed Thursday that a uniform federal law governing disclosure would improve responses to future breaches, but they also defended their security and response times.
“Regarding the security of networks, I think the experience of Epsilon and Sony indicates that despite spending millions to protect your networks—despite all the best methods known to us—the networks are not 100 percent protected. It is a process that requires continuing investment,” Tim Schaaff, president of Sony Network Entertainment International, testified at a hearing of the U.S. House Energy and Commerce Subcommittee on Commerce, Manufacturing and Trade.
In late April, Sony shut down the PlayStation Network and the Qriocity streaming media service for almost a month after breaches exposed personal information on 100 million accounts. Sony estimates that the damage cost $171 million to fix. Yet another hacking attack against Sony surfaced Thursday, this time in the Sony Pictures division. The group that claimed responsibility for it said it was easy to enter the computer systems and access customer data because the company had poor security measures in place.
Earlier in April, a hacker using an employee’s password at Epsilon—which handles e-mail marketing campaigns for major companies—stole millions of e-mail addresses and possibly customer names. While Epsilon did not name the companies victimized, its clients include Best Buy, Walgreens, Citigroup, JPMorgan Chase, Hilton, and Marriott. In both cases, the culprits are unknown.
Committee members are mulling a White House proposal for legislation to establish a single federal law requiring companies to notify users of breaches that expose personal information. Currently, 47 state laws govern such notification. Both Schaaff and Jeanette Fitzgerald, chief counsel for Epsilon Data Management, endorsed the idea, saying a uniform federal law would clarify what they needed to do and when they needed to do it.
Rep. Mary Bono Mack, the California Republican who chairs the committee, criticized Sony for taking a week after detecting its breach to explain to customers that their data, including names, addresses, birth dates, and e-mail addresses, had been exposed. “In effect, Sony put the burden on consumers to search for information instead of providing it to them directly,” she said. But Schaaff said that Sony actually may have gone too far in suggesting that credit-card data, too, might have been stolen; it now appears the card information remained protected, he said.
He said that any data-breach law should be careful to strike a balance between warning victims in a timely manner and giving them accurate information. And he denied media reports—and insinuations by some of the congressional questioners—that Sony’s servers weren’t adequately protected. “That’s patently false—the Apache servers were fully up to date and fully patched, and had several firewalls in place,” he said. “The intensity and sophistication of the hack—despite those best measures taken, they were not sufficient.” Sony has since added layers of protection, he said.
Earlier, Sony said it would hire a chief information security officer—a position that already exists at many other big companies.
Fitzgerald said Epsilon had tight security and added that industry security standards—which she said the company had followed—are “far from sufficient.” She added, “If they were sufficient, we wouldn’t be here. We are all under attack.”