Lawmakers: New data protection regulations needed

Sony incident a giant wake up call

The U.S. Congress needs to pass new data security regulations for businesses in response to recent data breaches at Sony, Epsilon and other companies, members of a U.S. House of Representatives subcommittee said Wednesday.

The data breaches at Sony, involving more than 100 million accounts on its [PlayStation and Online Entertainment networks], and at e-mail marketing firm Epsilon, involving about 50 of its business customers, are "deeply" troubling, said Representative Mary Bono Mack, chairwoman of the House Energy and Commerce Committee's commerce and trade subcommittee.

Since 2005, companies have reported about 2,500 data breaches involving hundreds of millions of customer records, said Bono Mack, a California Republican. "This begs the important question: If we don't do something soon, what's next?" she said. "And where does it end?"

The subcommittee invited representatives of Sony and Epsilon, which reported their data breaches in the past two months, to testify during the hearing, but both companies declined, instead sending written responses to lawmakers' questions. Bono Mack called the companies' refusal to testify "unacceptable."

Sony is still investigating the breaches, a spokesman for Bono Mack said.

Several lawmakers said they planned to use 2009's [Data Accountability and Trust Act] as a starting point for new legislation. The DATA Act, introduced by Representative Bobby Rush, an Illinois Democrat, failed to pass through Congress.

Rush's bill would have required organizations holding personal data to maintain security policies and to notify affected consumers after a data breach. The legislation would have allowed civil penalties of up to US$5 million for organizations that do not take adequate security measures and organizations that do not notify consumers of data breaches.

The Sony breach has the "potential to become the Great Brink's Robbery of cyber-attacks," Bono Mack said.

"Like their customers, both Sony and Epsilon are victims, too," she added. "But they also must shoulder some of the blame for these stunning thefts, which shake the confidence of everyone who types in a credit card number and hits enter. E-commerce is a vital and growing part of our economy. We should take steps to embrace and protect it -- and that starts with robust cybersecurity."

Months before Sony announced the breach, security researchers revealed that the company was running an outdated and unpatched version of the Apache Web server, said Eugene Spafford, executive director of the Purdue University Center For Education and Research in Information Assurance and Security.

Sony spokespeople did not immediately respond to a request for comments, but in [the company's written response] to the subcommittee, the company said PlayStation Network intruders used "very sophisticated and aggressive techniques to obtain unauthorized access, hide their presence from system administrators, and escalate privileges inside the servers."

Several subcommittee members, however, questioned whether many U.S. businesses were taking necessary steps to protect their data. Representative Brett Guthrie, a Kentucky Republican, asked if businesses are "sloppy" or if cybercriminals are "just a step ahead."

In nearly all data breaches, businesses haven't taken reasonable precautions, said Pablo Martinez, deputy special agent in charge of the Criminal Investigative Division at the U.S. Secret Service. In its [2010 data breach investigations report], Verizon Business found that 96 percent of breaches were avoidable through simple or intermediate controls, Martinez noted.

"A lot of times, it's that some of these security measures that should be in place, just aren't fully implemented," Martinez said. "Although we do have criminals that are highly sophisticated, and we have seen the amount of attacks due to hacking increase, a lot of these attacks could have been avoided had best practices been applied."

Asked if U.S. businesses were taking enough action to prevent attacks, all four witnesses at the hearing answered "no."

One lawmaker questioned how businesses know they've lost data. "I've not been a victim that I know of," said Representative David McKinley, a West Virginia Republican who ran his own architectural and construction firm before he was elected to Congress in 2010.

"How does a company know that it's been breached?" he said. "Would our IT person have seen a breach? Would he have seen something flashing?"

In some cases, a business loses a laptop containing consumer data, or system logs show unauthorized access, witnesses told him. McKinley then asked if all small businesses have system logs showing data breaches.

Some do and some don't, Spafford said.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags sonydata protectionEpsilonLawmakers

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Grant Gross

IDG News Service
Show Comments

Cool Tech

Toys for Boys

Family Friendly

Stocking Stuffer

SmartLens - Clip on Phone Camera Lens Set of 3

Learn more >

Christmas Gift Guide

Click for more ›

Brand Post

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Aysha Strobbe

Microsoft Office 365/HP Spectre x360

Microsoft Office continues to make a student’s life that little bit easier by offering reliable, easy to use, time-saving functionality, while continuing to develop new features that further enhance what is already a formidable collection of applications

Michael Hargreaves

Microsoft Office 365/Dell XPS 15 2-in-1

I’d recommend a Dell XPS 15 2-in-1 and the new Windows 10 to anyone who needs to get serious work done (before you kick back on your couch with your favourite Netflix show.)

Maryellen Rose George

Brother PT-P750W

It’s useful for office tasks as well as pragmatic labelling of equipment and storage – just don’t get too excited and label everything in sight!

Cathy Giles

Brother MFC-L8900CDW

The Brother MFC-L8900CDW is an absolute stand out. I struggle to fault it.

Luke Hill


I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?