On June 2, 2011, representatives from Sony Network Entertainment International and Epsilon Data Management, LLC appeared before a House panel to answer questions regarding their responses to recent security breaches. The hearing of the House Energy and Commerce Subcommittee on Commerce, Manufacturing, and Trade was called by Subcommittee Chairwoman Mary Bono Mack (R-Calif.) as part of the subcommittee’s comprehensive review of data security for the purpose of assessing the need for comprehensive federal data security and breach notification laws.
Jeanette Fitzgerald, general counsel for Epsilon Data Management, LLC, and Tim Schaaff, president of Sony Network Entertainment International, appeared on behalf of their respective companies. Their testimony to the subcommittee regarding their companies’ breach investigation, response, and disclosure closely tracked the information each company had already provided in written responses to subcommittee inquiry letters. Fitzgerald and Schaaff both agreed that there was a need for a national uniform standard for notifying individuals whose personal information is affected by a breach that preempted existing state laws. Indeed, Fitzgerald’s prepared testimony states that: “Epsilon fully supports national legislation that would create a uniform standard for data breach notification. The current patchwork of individual state breach notification laws only serves to create confusion among consumers and businesses, and imposes unnecessary compliance costs.” Similarly, Schaaff warned in his prepared testimony that any national data breach notice standard should follow a common sense approach that allows companies adequate opportunity to investigate breaches and take remedial measures before making them public. He said that “issuing vague or speculative statements before you have specific and reliable information” could lead companies to “either confuse and panic people, without giving them useful facts, or … bombard them with so many announcements that they become background noise.”
At the end of the hearing Rep. Bono Mack committed to working with her colleagues to pass comprehensive data security legislation to ensure Americans are protected from cyber crimes.
While Epsilon has not made any public statements regarding the costs it has or anticipates as a result of the breach of its systems, Sony estimates its costs at $171 million for data security remediation, customer services, and legal fees by the March 31, 2012 close of its 2011 fiscal year. The subcommittee background memorandum, which includes links to communications with Sony and Epsilon is available hear. Rep. Bono Mack’s opening remarks are available here. You can watch a recording of the hearing here.