Lawmakers: New data protection regulations needed

Sony incident a giant wake up call

The U.S. Congress needs to pass new data security regulations for businesses in response to recent data breaches at Sony, Epsilon and other companies, members of a U.S. House of Representatives subcommittee said Wednesday.

The data breaches at Sony, involving more than 100 million accounts on its [PlayStation and Online Entertainment networks], and at e-mail marketing firm Epsilon, involving about 50 of its business customers, are "deeply" troubling, said Representative Mary Bono Mack, chairwoman of the House Energy and Commerce Committee's commerce and trade subcommittee.

Since 2005, companies have reported about 2,500 data breaches involving hundreds of millions of customer records, said Bono Mack, a California Republican. "This begs the important question: If we don't do something soon, what's next?" she said. "And where does it end?"

The subcommittee invited representatives of Sony and Epsilon, which reported their data breaches in the past two months, to testify during the hearing, but both companies declined, instead sending written responses to lawmakers' questions. Bono Mack called the companies' refusal to testify "unacceptable."

Sony is still investigating the breaches, a spokesman for Bono Mack said.

Several lawmakers said they planned to use 2009's [Data Accountability and Trust Act] as a starting point for new legislation. The DATA Act, introduced by Representative Bobby Rush, an Illinois Democrat, failed to pass through Congress.

Rush's bill would have required organizations holding personal data to maintain security policies and to notify affected consumers after a data breach. The legislation would have allowed civil penalties of up to US$5 million for organizations that do not take adequate security measures and organizations that do not notify consumers of data breaches.

The Sony breach has the "potential to become the Great Brink's Robbery of cyber-attacks," Bono Mack said.

"Like their customers, both Sony and Epsilon are victims, too," she added. "But they also must shoulder some of the blame for these stunning thefts, which shake the confidence of everyone who types in a credit card number and hits enter. E-commerce is a vital and growing part of our economy. We should take steps to embrace and protect it -- and that starts with robust cybersecurity."

Months before Sony announced the breach, security researchers revealed that the company was running an outdated and unpatched version of the Apache Web server, said Eugene Spafford, executive director of the Purdue University Center For Education and Research in Information Assurance and Security.

Sony spokespeople did not immediately respond to a request for comments, but in [the company's written response] to the subcommittee, the company said PlayStation Network intruders used "very sophisticated and aggressive techniques to obtain unauthorized access, hide their presence from system administrators, and escalate privileges inside the servers."

Several subcommittee members, however, questioned whether many U.S. businesses were taking necessary steps to protect their data. Representative Brett Guthrie, a Kentucky Republican, asked if businesses are "sloppy" or if cybercriminals are "just a step ahead."

In nearly all data breaches, businesses haven't taken reasonable precautions, said Pablo Martinez, deputy special agent in charge of the Criminal Investigative Division at the U.S. Secret Service. In its [2010 data breach investigations report], Verizon Business found that 96 percent of breaches were avoidable through simple or intermediate controls, Martinez noted.

"A lot of times, it's that some of these security measures that should be in place, just aren't fully implemented," Martinez said. "Although we do have criminals that are highly sophisticated, and we have seen the amount of attacks due to hacking increase, a lot of these attacks could have been avoided had best practices been applied."

Asked if U.S. businesses were taking enough action to prevent attacks, all four witnesses at the hearing answered "no."

One lawmaker questioned how businesses know they've lost data. "I've not been a victim that I know of," said Representative David McKinley, a West Virginia Republican who ran his own architectural and construction firm before he was elected to Congress in 2010.

"How does a company know that it's been breached?" he said. "Would our IT person have seen a breach? Would he have seen something flashing?"

In some cases, a business loses a laptop containing consumer data, or system logs show unauthorized access, witnesses told him. McKinley then asked if all small businesses have system logs showing data breaches.

Some do and some don't, Spafford said.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection

Tags LawmakersEpsilonsonydata protection

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Grant Gross

IDG News Service
Show Comments

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Kurt Hegetschweiler

Brother PocketJet PJ-773 A4 Portable Thermal Printer

It’s perfect for mobile workers. Just take it out — it’s small enough to sit anywhere — turn it on, load a sheet of paper, and start printing.

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?