House members at a panel hearing on data breach legislation Wednesday had harsh words for Sony and Epsilon, two companies that have suffered public data breaches in the past two months.
Both companies declined invitations to testify at the hearing.
Rep. Mary Bono Mack (R-Calif.), the subcommittee chair, said that Sony should have informed its consumers of the breach earlier and said its efforts were “half-hearted, half-baked.” She was paritcularly critical of Sony’s decision to first notify customers of the attack via its company blog, leaving it up to customers to search for infomation on the breach.
The company has come under fire not only for data breaches that compromised the personal details of millions of customers, but also for failing to let customers know of the breach until April 26, a week after it first discovered something was wrong with its servers.
In its reply to Bono Mack and subcommittee ranking member Rep. G.K. Butterfield (D-N.C.) Sony said that it waited to inform consumers until it had more complete information on the attack.
The firm said that it believes it has identified the cause of the attack, though not who is behind it. The company did, however, find evidence pointing to the hacktivist group Anonymous. The group has denied that it is responsible for the attack.
Sony also said that it has not received any reports of fraudulent credit card transactions linked to the attacks.
In testimony at the hearing, FTC’s David Vladeck, the head of the consumer protection bureau, restated that the agency supports national legislation requiring resonable security policies and notification requirements that can act as a floor for state data breach legislation.
Bono Mack said at the hearing that she will propose data breach legislation soon.
On Wednesday, the FTC also announced that it had settled with two companies, Ceridian Corporation and Lookout Services, that were charged with improperly protecting consumer data. Both companies agreed to orders that require a comprehensive information security program and independent security audits every other year for the next 20 years.