Representative Mary Bono Mack, a California Republican, said she will soon introduce legislation focused on ensuring that companies holding personal data secure it. Although she didn't provide many details, the legislation will include a data breach notification requirement, Bono Mack said during a hearing of the House Energy and Commerce Committee's trade subcommittee.
Lawmakers quizzed representatives of the two companies about data breaches, with some questioning whether the companies did enough to protect themselves.
"These recent data breaches only reinforce my long-held belief that much more needs to be done to protect sensitive consumer information," said Bono Mack. "Americans need additional safeguards to prevent identity theft."
Representatives of both Sony and Epsilon told lawmakers they would support a national breach notification law that preempts state laws. More than 45 states now have laws requiring breached companies to notify affected customers.
The multiple state laws are "seemingly in conflict" and make it difficult for companies to comply, said Tim Schaaff, president of Sony Network Entertainment International.
Companies need U.S. government support to fight cyber-attacks, Schaaff added. "Despite spending millions of dollars to secure your networks, despite all of the best efforts known to us, our networks are not 100 percent protected," he said. "It's a process that requires continual investment. I think without additional support from the government, it's unlikely that we will all, collectively, be successful, and that will threaten the livelihood of the growing Internet economy."
The attack on the PlayStation Network, discovered April 19, will cost the company about US$170 million, Schaaff told lawmakers.
Representative Cliff Stearns, a Florida Republican, questioned whether a new cybersecurity law would protect customers. State data protection and notification laws didn't seem to work in the Sony and Epsilon cases, he said. "You didn't comply, evidently, with the states," he said.
Bono Mack also criticized Sony for the timing of its breach notifications to customers.
"For me, one of the most troubling issues is how long it took Sony to notify consumers, and the way in which the company did it -- by posting an announcement on its blog," she said. "In effect, Sony put the burden on consumers to search for information instead of providing it to them directly. That cannot happen again."
Schaaff defended the way Sony notified customers. Sony posted information about the breach on the well-read PlayStation blog on April 22, three days after the company discovered the breach, he said. The blog "has a highly visible and deeply engaging relationship with our customers and is one of the best, fastest and most direct means of communicating with them," he said.
Sony e-mailed PlayStation account holders beginning on April 26, he added.
Epsilon's breach, discovered March 30, exposed the e-mail addresses, and in some cases, names, of millions of people who do business with the company's clients, said Jeanette Fitzgerald, Epsilon's general counsel.
Representative Brett Guthrie, a Kentucky Republican, asked Fitzgerald if implementing better security standards would have protected Epsilon.
Epsilon uses a number of tools to protect itself, she said. "The hackers are very sophisticated," she added. "This wasn't some guy in a garage."