Sony Breach Spurs Call for Tough Legislation
"It is appropriate to question whether enough is being done to solve the data breach problem," CDT's Justin Brookman told legislators at a privacy hearing last week. "Although some state and federal regulations require companies to notify affected consumers of a data breach, the financial and reputational cost of notification may not provide many companies with adequate incentive to properly protect consumers' data in the first place."
May 10, 2011 5:00 AM PT
A key element in the shifting political winds in Washington is a call for less business regulation, especially from the conservative wing of the now ascendant Republican majority in the U.S. House of Representatives.
But one leading Republican last week tossed that mantra aside and launched into a tirade of criticism of Internet enterprises and promised to pursue enactment of tougher federal regulation to protect consumer privacy.
"Americans need additional safeguards to prevent identity theft, and I will soon introduce legislation designed to accomplish this goal," said Rep. Mary Bono Mack, R-Calif.
"The time has come for Congress to take decisive action. We need a uniform national standard for data security and data breach notification, and we need it now," Bono Mack urged last week while chairing a House Energy and Commerce subcommittee hearing.
Sony Takes the Heat
Although the hearing covered the general question of consumer Internet privacy, recently revealed breaches involving Sony and its PlayStation customers, as well as last month's data breach at Epsilon, clearly caught lawmakers' attention, particularly given that both companies declined to appear at the hearing.
"I am deeply troubled by these latest data breaches, and the decisions by both Epsilon and Sony not to testify. This is unacceptable," Bono Mack said.
Eugene Spafford, chair of the U.S. Public Policy Council for the Association for Computing Machinery (USACM), testified at the hearing on the mushrooming growth of incidents involving consumer security breaches. Almost 600 million records have been disclosed in 2,459 separate incidents in the United States between 2005 and May 2001, he noted, including both intentional and accidental breaches, based on data from the Privacy Rights Clearinghouse.
"The Sony breaches disclosed in April and May of 2011 alone equal approximately 100 million records," said Spafford, who also serves as executive director of the Center for Education and Research in Information Assurance and Security at Purdue University.
Despite the widespread inconvenience -- and even harm -- suffered by consumers, Internet operators in general do not yet have sufficient incentives to meet the threat of cyberhackers or to promptly and adequately reveal breaches to customers when Internet intrusions are discovered. Much of the hearing was devoted to the question of motivating Internet operators to disclose breaches.
"Given its growing scale and persistence, it is appropriate to question whether enough is being done to solve the data breach problem," Justin Brookman, director of the Center for Democracy & Technology's Project on Consumer Privacy, said at the hearing. "Although some state and federal regulations require companies to notify affected consumers of a data breach, the financial and reputational cost of notification may not provide many companies with adequate incentive to properly protect consumers' data in the first place."
Better Incentives Needed
"In general, operators don't think about the worst-case scenario because it's not a profit center," Brookman told the E-Commerce Times. "There are not quite enough incentives for complete protection right now."
Spafford made the same point at the hearing, telling committee members that "security and privacy protection is viewed as overhead that is not recovered in increased revenue, and it is usually one of the first things trimmed in budget cuts."
Both Brookman and Spafford favor legislation that improves upon current federal laws and regulations, and provides enough enforcement muscle to motivate operators to improve both the prevention of attacks and consumer notification when breaches occur. Brookman also advocates the imposition of civil penalties on operators as a mechanism to encourage security.
The increasing alarms about data breaches could provide an opportunity for vendors offering security technology.
"There is a lot out there to choose from in terms of the number of vendors and available security technologies," Brookman told the E-Commerce Times.
At the hearing Spafford called for increased investments by both government and the private sector in cybersecurity forensic technologies and for research into "privacy enhancing and privacy preservation technologies for large data sets."
While the development of better security technologies will be helpful in the future, Spafford noted that existing solutions are widely available, provided that operators make the necessary investments.
"The vast majority of incidents occur from organizations not using technologies and methods that are already known and available. Thus, the need is really to have some regulation to encourage organizations to do the right thing," he told the E-Commerce Times.
Sony did not get off the hook, even though the company failed to appear at the hearing. Bono Mack and colleague Rep. G.K. Butterfield, D-N.C., wrote to Sony on April 29 demanding answers.
In a reply issued May 3, Sony admitted that it became aware of potential breach on April 19 and took a variety of steps to ascertain the scope of the problem by deploying both company and outside computer forensic experts. After investigating the problem, the company concluded on April 25 that it could not "rule out" the possible theft of personal information and issued a notice to consumers on April 26.