June 02, 2011, 3:27 PM — Recent data breaches at Sony's PlayStation Network and at e-mail service provider Epsilon will lead to legislation focused on improving cybersecurity at U.S. companies, the chairwoman of a U.S. House of Representatives subcommittee said Thursday.
Representative Mary Bono Mack, a California Republican, said she will soon introduce legislation focused on ensuring that companies holding personal data secure it. Although she didn't provide many details, the legislation will include a data breach notification requirement, Bono Mack said during a hearing of the House Energy and Commerce Committee's trade subcommittee.
Lawmakers quizzed representatives of the two companies about data breaches, with some questioning whether the companies did enough to protect themselves.
"These recent data breaches only reinforce my long-held belief that much more needs to be done to protect sensitive consumer information," said Bono Mack. "Americans need additional safeguards to prevent identity theft."
Representatives of both Sony and Epsilon told lawmakers they would support a national breach notification law that preempts state laws. More than 45 states now have laws requiring breached companies to notify affected customers.
The multiple state laws are "seemingly in conflict" and make it difficult for companies to comply, said Tim Schaaff, president of Sony Network Entertainment International.
Companies need U.S. government support to fight cyber-attacks, Schaaff added. "Despite spending millions of dollars to secure your networks, despite all of the best efforts known to us, our networks are not 100% protected," he said. "It's a process that requires continual investment. I think without additional support from the government, it's unlikely that we will all, collectively, be successful, and that will threaten the livelihood of the growing Internet economy."
The attack on the PlayStation Network, discovered April 19, will cost the company about $170 million, Schaaff told lawmakers.
Representative Cliff Stearns, a Florida Republican, questioned whether a new cybersecurity law would protect customers. State data protection and notification laws didn't seem to work in the Sony and Epsilon cases, he said. "You didn't comply, evidently, with the states," he said.
Bono Mack also criticized Sony for the timing of its breach notifications to customers.
"For me, one of the most troubling issues is how long it took Sony to notify consumers, and the way in which the company did it -- by posting an announcement on its blog," she said. "In effect, Sony put the burden on consumers to search for information instead of providing it to them directly. That cannot happen again."