Executives from Sony and Epsilon, speaking Thursday before a House Commerce Manufacturing and Trade subcommittee, endorsed the idea of a federal law regulating data breaches.
In an opening statement, Rep. Mary Bono Mack (R-Calif.), who chairs the subcommittee, said that while she did not entirely approve of the way the companies had handled data breaches affecting their networks, she wanted to move forward and outline the best way to protect online consumers.
Jeanette Fitzgerald, the general counsel for Epsilon, endorsed national legislation and said that the patchwork of state laws regulating data breaches made it difficult for companies to respond to attacks. Epsilon, a marketing company, was hit with a cyberattack in late March that leaked the e-mail addresses and names of millions of consumers.
A single law, she said, “would make it much easier and less costly for business to ensure any applicable notification requirements are met.”
Sony’s Tim Schaaf, president of Sony Network Entertainment International, said the company supports standard legislation that would require companies to provide timely, accurate information on breaches, provide customers with resources to combat the effects of an attack.
Schaaf was also called upon to defend some of Sony’s practices following its network intrustion.
“Sony put the burden on consumers to search for information instead of providing it to them directly,” she said, adding that such a practice is unacceptable.
Schaaf said that the company’s blog is very popular and a useful way for the company to communicate with its customers quickly and efficiently. He added that Sony later e-mailed customers affected by the attack.
He also defended Sony’s decision to delay informing customers of the breach until the company fully understood the implications of the attack. The company’s servers were breached on April 19 and Sony first notified customers that sensitive data was taken on the 26th.
Bono Mack said she will introduce legislation that will require companies to establish and maintain security policies, give special protection to sensitive information such as credit cards and promptly notify consumers when data has been breached.
“We need a uniform national standard for data security and data breach notification, and we need it now,” Bono Mack said.