In the wake of Sony’s PlayStation Network intrusion and data theft of 100+ million accounts, the Subcommittee on Commerce, Manufacturing, and Trade is holding a hearing on the topic titled The Threat of Data Theft to American Consumers. Representatives of the Federal Trade Commission, U.S. Secret Service, Center for Democracy and Technology, and Purdue University are being called as witnesses to the hearing which is gaining publicity due to the magnitude and publicity of Sony’s breach. Along with Sony, Epsilon, the marketing company for dozens of national businesses that suffered a similar breach last month, is highlighted as victims that must bear the responsibility of storing consumer data in the opening statement of today’s hearing (.pdf) from Commerce, Manufacturing, and Trade Subcomittee Chairman, Mary Bono Mack.
Today, American consumers are under constant assault. As quickly and quietly as a wallet canbe stolen by a skilled pickpocket, your personal identity can be hijacked without you knowing itby online hackers. The Federal Trade Commission estimates that nearly nine million Americans fall victim to identity theft every year, costing consumers and businesses billions of dollars annually – and those numbers are growing steadily and alarmingly.
In recent years, sophisticated and carefully orchestrated cyber attacks – designed to obtainpersonal information about consumers, especially when it comes to their credit cards – havebecome one of the fastest growing criminal enterprises here in the United States and across theworld. The boldness of these attacks and the threat they present to unsuspecting Americans wasunderscored recently by massive data breaches at Epsilon and Sony.
With 77 million accounts stolen – including some 10 million credit card numbers – the data breach involving Sony’s PlayStation Network has the potential to become the “Great Brink’s Robbery” of cyber attacks. And the “take” keeps going up.
While the FBI and Secret Service, along with other law enforcement agencies, work around the clock to try and crack this sensational case, we now learn that a second Sony online service wasalso compromised during the same time period. Computer hackers obtained access to personal information relating to an additional 25 million customer accounts. That’s more than 100 million accounts now in jeopardy.
Like their customers, both Sony and Epsilon are victims, too. But they also must shoulder some of the blame for these stunning thefts, which shake the confidence of everyone who types in a credit card number and hits “enter.” E-commerce is a vital and growing part of our economy. We should take steps to embrace and protect it – and that starts with robust cyber security.
As Chairman of this Subcommittee, I am deeply troubled by these latest data breaches, and the decision by both Epsilon and Sony not to testify today. This is unacceptable.
According to Epsilon, the company did not have time to prepare for our hearing – even though its data breach occurred more than a month ago. Sony, meanwhile, says it’s too busy with its ongoing investigation to appear. Well, what about the millions of American consumers who are still twisting in the wind because of these breaches? They deserve some straight answers, and I am determined to get them.
For instance: How did these breaches occur? What steps are being taken to prevent futurebreaches? And what’s being done to mitigate the effects of these breaches on American consumers?
Yet for me, the single most important question is simply this: Why weren’t Sony’s customers notified sooner of the cyber attack? I fundamentally believe that all consumers have a right to know when their personal information has been compromised, and Sony – as well as all other companies – have an overriding responsibility to alert them…immediately.
In Sony’s case, company officials first revealed information about the data breach on their blog. That’s right. A blog. I hate to pile on, but – in essence – Sony put the burden on consumers to “search” for information, instead of accepting the burden of notifying them. If I have anything to do with it, that kind of half-hearted, half-baked response is not going to fly in the future.
This ongoing mess only reinforces my long-held belief that much more needs to be done to protect sensitive consumer information. Americans need additional safeguards to prevent identity theft, and I will soon introduce legislation designed to accomplish this goal. My legislation will be crafted around a guiding principle: Consumers should be promptly informed when their personal information has been jeopardized.
Clearly, cyber attacks are on the rise. According to the Privacy Rights Clearinghouse, over twenty-five hundred data breaches – involving some 600 million records have been made public since 2005. In fact, last month alone, some 30 data breaches at hospitals, insurance companies, universities, banks, airlines and governmental agencies impacted nearly 100 million records. And that’s in addition to the massive breaches at Epsilon and Sony.
The time has come for Congress to take decisive action. We need a uniform national standard for data security and data breach notification, and we need it now.
While I remain hopeful that law enforcement officials will quickly determine the extent of these latest cyber attacks, they serve as a reminder – as well as a wake-up call – that all companies have a responsibility to protect personal information and to promptly notify consumers when that information has been put at risk. And we have a responsibility, as lawmakers, to make certain this happens.
A little more in depth look at the issues occurring recently are found in today’s Marketplace Tech Report.
For more reporting on the hearing today, you can read or listen to a brief coverage from the Marketplace Morning Report.
I disagree with the statement by Larry Ponemon that consumers will go to Microsoft’s Xbox or Nintendo’s Wii as a result of this breach. There are many more factors in the industry besides supply and demand. “All other things being equal” but they’re not equal. Just one factor is that many of the victims are kids who play the console. They’re more concerned about the network coming back up so they can play with friends than they are about their data (or their parents’) being stolen.
I do like the comment by Professor Farber that legislation on technology is a bad mix. Defining what people must do or must implement with the fast pace of technology impedes innovation and may actually weaken security as everybody reaching for the same benchmark just makes for a broad target, similar to why Windows and Internet Explorer were frequently the victims of malicious individuals until Adobe Flash and Reader offered a bigger footprint.
Fortunately, today’s hearing seems to focus more on legislating a time-frame for company’s that have lost consumer data to disclose it to customers, something Sony is being sued over and that can be measured.