[House Hearing, 112 Congress] [From the U.S. Government Publishing Office] SONY AND EPSILON: LESSONS FOR DATA SECURITY LEGISLATION ======================================================================= HEARING BEFORE THE SUBCOMMITTEE ON COMMERCE, MANUFACTURING, AND TRADE OF THE COMMITTEE ON ENERGY AND COMMERCE HOUSE OF REPRESENTATIVES ONE HUNDRED TWELFTH CONGRESS FIRST SESSION __________ JUNE 2, 2011 __________ Serial No. 112-55 Printed for the use of the Committee on Energy and Commerce energycommerce.house.gov U.S. GOVERNMENT PRINTING OFFICE 71-258 WASHINGTON : 2012 ----------------------------------------------------------------------- For sale by the Superintendent of Documents, U.S. Government Printing Office, http://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center, U.S. Government Printing Office. Phone 202�09512�091800, or 866�09512�091800 (toll-free). E-mail, [email protected]. COMMITTEE ON ENERGY AND COMMERCE FRED UPTON, Michigan HENRY A. WAXMAN, California Chairman Ranking Member JOE BARTON, Texas JOHN D. DINGELL, Michigan Chairman Emeritus EDWARD J. MARKEY, Massachusetts CLIFF STEARNS, Florida EDOLPHUS TOWNS, New York ED WHITFIELD, Kentucky FRANK PALLONE, Jr., New Jersey JOHN SHIMKUS, Illinois BOBBY L. RUSH, Illinois JOSEPH R. PITTS, Pennsylvania ANNA G. ESHOO, California MARY BONO MACK, California ELIOT L. ENGEL, New York GREG WALDEN, Oregon GENE GREEN, Texas LEE TERRY, Nebraska DIANA DeGETTE, Colorado MIKE ROGERS, Michigan LOIS CAPPS, California SUE WILKINS MYRICK, North Carolina MICHAEL F. DOYLE, Pennsylvania Vice Chairman JANICE D. SCHAKOWSKY, Illinois JOHN SULLIVAN, Oklahoma CHARLES A. GONZALEZ, Texas TIM MURPHY, Pennsylvania JAY INSLEE, Washington MICHAEL C. BURGESS, Texas TAMMY BALDWIN, Wisconsin MARSHA BLACKBURN, Tennessee MIKE ROSS, Arkansas BRIAN P. BILBRAY, California ANTHONY D. WEINER, New York CHARLES F. BASS, New Hampshire JIM MATHESON, Utah PHIL GINGREY, Georgia G.K. BUTTERFIELD, North Carolina STEVE SCALISE, Louisiana JOHN BARROW, Georgia ROBERT E. LATTA, Ohio DORIS O. MATSUI, California CATHY McMORRIS RODGERS, Washington DONNA M. CHRISTENSEN, Virgin GREGG HARPER, Mississippi Islands LEONARD LANCE, New Jersey BILL CASSIDY, Louisiana BRETT GUTHRIE, Kentucky PETE OLSON, Texas DAVID B. McKINLEY, West Virginia CORY GARDNER, Colorado MIKE POMPEO, Kansas ADAM KINZINGER, Illinois H. MORGAN GRIFFITH, Virginia (ii) Subcommittee on Commerce, Manufacturing, and Trade MARY BONO MACK, California Chairman MARSHA BLACKBURN, Tennessee G.K. BUTTERFIELD, North Carolina Vice Chair Ranking Member CLIFF STEARNS, Florida CHARLES A. GONZALEZ, Texas CHARLES F. BASS, New Hampshire JIM MATHESON, Utah GREGG HARPER, Mississippi JOHN D. DINGELL, Michigan LEONARD LANCE, New Jersey EDOLPHUS TOWNS, New York BILL CASSIDY, Louisiana BOBBY L. RUSH, Illinois BRETT GUTHRIE, Kentucky JANICE D. SCHAKOWSKY, Illinois PETE OLSON, Texas MIKE ROSS, Arkansas DAVE B. McKINLEY, West Virginia HENRY A. WAXMAN, California, ex MIKE POMPEO, Kansas officio ADAM KINZINGER, Illinois JOE BARTON, Texas FRED UPTON, Michigan, ex officio C O N T E N T S ---------- Page Hon. Mary Bono Mack, a Representative in Congress from the State of California, opening statement............................... 1 Prepared statement........................................... 3 Hon. G.K. Butterfield, a Representative in Congress from the State of North Carolina, opening statement..................... 4 Hon. Marsha Blackburn, a Representative in Congress from the State of Tennessee, opening statement.......................... 5 Prepared statement........................................... 6 Hon. Cliff Stearns, a Representative in Congress from the State of Florida, opening statement.................................. 6 Hon. Pete Olson, a Representative in Congress from the State of Texas, opening statement....................................... 7 Hon. Henry A. Waxman, a Representative in Congress from the State of California, prepared statement.............................. 53 Hon. Edolphus Towns, a Representative in Congress from the State of New York, opening statement................................. 53 Witnesses Jeanette Fitzgerald, General Counsel, Epsilon Data Management, LLC............................................................ 8 Prepared statement........................................... 10 Answers to submitted questions............................... 55 Tim Schaaff, President, Sony Network Entertainment International. 17 Prepared statement........................................... 19 Answers to submitted questions............................... 58 SONY AND EPSILON: LESSONS FOR DATA SECURITY LEGISLATION ---------- THURSDAY, JUNE 2, 2011 House of Representatives, Subcommittee on Commerce, Manufacturing, and Trade, Committee on Energy and Commerce, Washington, DC. The subcommittee met, pursuant to call, at 12:05 p.m., in room 2123 of the Rayburn House Office Building, Hon. Mary Bono Mack (chairwoman of the subcommittee) presiding. Members present: Representatives Bono Mack, Blackburn, Stearns, Harper, Lance, Guthrie, Olson, McKinley, Pompeo, Kinzinger, and Butterfield. Staff present: Charlotte Baker, Press Secretary; Allison Busbee, Legislative Clerk; Paul Cancienne, Policy Coordinator, Commerce, Manufacturing and Trade; Brian McCullough, Senior Professional Staff Member, Commerce, Manufacturing and Trade; Gib Mullan, Chief Counsel, Commerce, Manufacturing and Trade; Shannon Weinberg, Counsel, Commerce, Manufacturing and Trade; Michelle Ash, Democratic Chief Counsel; Felipe Mendoza, Democratic Counsel; and Will Wallace, Democratic Policy Analyst. OPENING STATEMENT OF HON. MARY BONO MACK, A REPRESENTATIVE IN CONGRESS FROM THE STATE OF CALIFORNIA Mrs. Bono Mack. Good afternoon. If the room would please come to order. Guests, kindly take your seats. Thank you. So good afternoon. In today's online world, your name, birth date, and mother's maiden name are often used to verify your identity. But in the wake of massive data breaches at Sony and Epsilon, we are now painfully more aware that this very same information can be used just as easily to falsify your identity. The time has come for Congress to take action. And the chair now recognizes herself for an opening statement. With nearly 1.5 billion credit cards now in use in the United States and more and more Americans banking and shopping online, cyber thieves have a treasure chest of opportunities today to get rich quick. Why crack a vault when you can hack a network? The Federal Trade Commission estimates that nearly 9 million Americans fall victim to identity theft every year, costing consumers and businesses billions of dollars annually, and those numbers are growing steadily and alarmingly. In recent years, sophisticated and carefully orchestrated cyber attacks designed to obtain personal information about consumers, especially when it comes to their credit cards, have become one of the fastest-growing criminal enterprises here in the U.S., as well as across the world. Just last month, the Justice Department shut down a cyber crime ring believed to be based in Russia, which was responsible for the online theft of up to $100 million. The boldness of these attacks and the threat they present to unsuspecting Americans was underscored recently by massive data breaches at Epsilon and Sony. In some ways, Sony has become Ground Zero in the war to protect consumers' online information. The initial attacks on Sony's PlayStation network and online entertainment services, which put some 100 million customer accounts at risk, were quickly followed by still more attacks at other Sony divisions and subsidiaries. Since then, the company, to its credit, has taken some very aggressive steps to prevent future cyber attacks such as installing new firewalls, enhancing data protection, and enhancing their encryption capabilities, expanding automated software monitoring, and hiring a new chief information security officer. These are all important new safeguards, but with millions of American consumers in harm's way, why weren't these safety protocols already in place? For me, one of the most troubling issues is how long it took Sony to notify consumers and the way in which the company did it--by posting an announcement on its blog. In effect, Sony put the burden on consumers to search for information instead of providing it to them directly. That cannot happen again. While I remain critical of Sony's initial handling of these data breaches, as well as its decision not to testify at our last hearing--and that goes for Epsilon as well--it is clear that since then, the company has been systematically targeted by hackers and cyber thieves who are constantly probing Sony's security systems for weaknesses and opportunities to infiltrate its networks. So today, I am not here to point fingers. Instead, let us point the way, a better, smarter way to protect American consumers online. As I have said, you shouldn't have to cross your fingers and whisper a prayer whenever you type in a credit card number on your computer and hit ``Enter.'' E-commerce is a vital and growing part of our economy. We should take steps to embrace and protect it and that starts with robust cyber security. As chairman of the subcommittee, I believe the lessons learned from the Sony and Epsilon experiences can be instructive. How did these breaches occur? What steps are being taken to prevent future breaches? What is being done to mitigate the effects of these breaches? And what policies should be in place to better protect American consumers in the future. Most importantly, consumers have a right to know when their personal information has been compromised, and companies have an overriding responsibility to promptly alert them. These recent data breaches only reinforce my long-held belief that much more needs to be done to protect sensitive consumer information. Americans need additional safeguards to prevent identity theft, and I will soon introduce legislation designed to accomplish this goal. My legislation will be crafted around 3 guiding principles. First, companies and entities that hold personal information must establish and maintain security policies to prevent the unauthorized acquisition of that data. Second, information considered especially sensitive such as credit card numbers should have even more robust security safeguards in place. And finally, consumers should be promptly informed when their personal information has been jeopardized. The time has come for Congress to take decisive action. We need a uniformed national standard for data security and data breach notification and we need it now. While I remain hopeful that law enforcement officials will quickly determine the extent of these latest cyber attacks, they serve as a reminder that all companies have a responsibility to protect personal information and to promptly notify consumers when that information has been put at risk. And we have a responsibility as lawmakers to make certain that this happens. [The prepared statement of Mrs. Bono Mack follows:] Prepared Statement of Hon. Mary Bono Mack With nearly 1.5 billion credit cards now in use in the United States--and more and more Americans banking and shopping online--cyber thieves have a treasure chest of opportunities today to ``get rich quick.'' Why crack a vault when you can hack a network? The Federal Trade Commission estimates that nearly nine million Americans fall victim to identity theft every year, costing consumers and businesses billions of dollars annually-- and those numbers are growing steadily and alarmingly. In recent years, sophisticated and carefully orchestrated cyber attacks--designed to obtain personal information about consumers, especially when it comes to their credit cards--have become one of the fastest growing criminal enterprises here in the United States and across the world. Just last month, the Justice Department shut down a cyber crime ring--believed to be based in Russia -which was responsible for the online theft of up to $100 million. The boldness of these attacks and the threat they present to unsuspecting Americans was underscored recently by massive data breaches at Epsilon and Sony. In some ways, Sony has become ground zero in the war to protect consumers' online information. The initial attacks on Sony's PlayStation Network and online entertainment services-- which put some 100 million customer accounts at risk--were quickly followed by still more attacks at other Sony divisions and subsidiaries. Since then, the company--to its credit--has taken some very aggressive steps to prevent future cyber attacks, such as installing new firewalls.enhancing data protection and encryption capabilities. expanding automated software monitoring.and hiring a new Chief Information Security Officer. These are all important new safeguards, but with millions of American consumers in harm's way, why weren't these safety protocols already in place? For me, one of the most troubling issues is how long it took Sony to notify consumers.and the way in which the company did it--by posting an announcement on its blog. In effect, Sony put the burden on consumers to search for information instead of providing it to them directly. That cannot happen again. While I remain critical of Sony's initial handling of these data breaches--as well as its decision not to testify at our last hearing.and that goes for Epsilon as well--it's clear that since then the company has been systematically targeted by hackers and cyber thieves who are constantlyprobing Sony's security systems for weaknesses and opportunities to infiltrate its networks. So today, let's not point fingers. Instead, let's point the way--a better, smarter way--to protect American consumers online. As I have said, you shouldn't have to cross your fingers and whisper a prayer when you type in a credit card number on your computer and hit ``enter.'' E-commerce is a vital and growing part of our economy. We should take steps to embrace and protect it--and that starts with robust cyber security. As Chairman of this Subcommittee, I believe the lessons learned from the Sony and Epsilon experiences can be instructive. How did these breaches occur? What steps are being taken to prevent future breaches? What's being done to mitigate the effects of these breaches? And what policies should be in place to better protect American consumers in the future? Most importantly, consumers have a right to know when their personal information has been compromised, and companies have an overriding responsibility to promptly alert them. These recent data breaches only reinforce my long-held belief that much more needs to be done to protect sensitive consumer information. Americans need additional safeguards to prevent identity theft, and I will soon introduce legislation designed to accomplish this goal. My legislation will be crafted around three guiding principles: First, companies and entities that hold personal information must establish and maintain security policies to prevent the unauthorized acquisition of that data; Second, information considered especially sensitive, such as credit card numbers, should have even more robust security safeguards; And finally, consumers should be promptly informed when their personal information has been jeopardized. The time has come for Congress to take decisive action. We need a uniform national standard for data security and data breach notification, and we need it now. While I remain hopeful that law enforcement officials will quickly determine the extent of these latest cyber attacks, they serves as a reminder that all companies have a responsibility to protect personal information and to promptly notify consumers when that information has been put at risk. And we have a responsibility, as lawmakers, to make certain this happens. Mrs. Bono Mack. And now I would like to recognize the vice chairman of the--oh, I am sorry--the ranking member Mr. Butterfield for his 5-minute opening statement. OPENING STATEMENT OF HON. G.K. BUTTERFIELD, A REPRESENTATIVE IN CONGRESS FROM THE STATE OF NORTH CAROLINA Mr. Butterfield. Let me thank you, Chairman Bono Mack, for your indulgence. I have been in my office with 28 constituents, one of whom was a World War II veteran and several Vietnam veterans and they wanted to take pictures and you know that drill. And so I had to accommodate them as best I could. But we are here and thank you very much for convening this hearing today. And I certainly thank the two witnesses for your presence. Madam Chairman, thank you for holding this hearing on data security and the recent breaches that we have seen at Sony and Epsilon. Last month, well over 100 million consumer records have been compromised as a result of those breaches, including full names, email and mailing addresses, the passwords, and maybe even credit card numbers. Those two major breaches illustrate that no company is safe from attack and that we must always operate at a heightened level of security and vigilance. No company wants its data compromised, and Sony and Epsilon are certainly no exception. Sony was victim to hackers who stole nearly 100 million consumer records, and it took engineers several days to realize that there was an intrusion. During that time, hackers had full access to Sony's servers. The breach that occurred at Epsilon was very large and involved the names and email addresses of about 50 of Epsilon's clients with conservative estimates of 60 million records stolen. Luckily, no critically sensitive information was stolen, but it easily could have. It is important that businesses do all they can do to protect consumers from having their information fall into the wrong hands. For many Americans, shopping, paying bills, and refilling prescriptions and communicating with friends and family and even playing games are all done online. As people share more and more information online, the potential for personally identifiable information to be compromised increases exponentially. Names, physical addresses, dates of birth, Social Security numbers, and credit card numbers are just a few of the types of information that hackers are able to access and exploit. While 46 States have laws requiring consumer notification when a breach occurs, there is currently no federal standard to address this. Moreover, there is no federal law requiring companies that hold PII to have reasonable safeguards in place to protect this information. Without a federal standard, I am concerned that American consumers remain largely exposed online. And during the 109th Congress and subsequent Congresses, members of this committee worked in a bipartisan fashion to develop the Data, Accountability, and Trust Act to address the issue of data security. The DATA bill of the 111th Congress by my friend and former chairman of the subcommittee Mr. Rush from Illinois would have required entities holding data containing personal information to adopt reasonable and appropriate security measures to safeguard it and, in the event of a breach, to notify affected individuals. The DATA bill passed the House and the 111th Congress but our friends in the Senate did not act. The DATA bill is a good foundation to improve the security of e- commerce, something that is good for consumers and good for business. It would give American consumers more peace of mind about online transactions and make them more likely to continue and expand their use of online services. And so, Madam Chairman, we have learned a lot from the breaches at Sony and Epsilon and I expect to learn more today from our two witnesses. I want you to know that I stand ready to work with you and our colleagues to pass a strong bipartisan data security bill like the DATA bill that we saw in the last session. I thank today's witnesses for their testimony and look forward to each of you. Thank you very much. I yield back. Mrs. Bono Mack. I thank the gentleman. Chairman Upton yielded his 5 minutes for an opening statement to me in accordance with committee rules. And as his designee, I now recognize Mrs. Blackburn for 2 minutes. OPENING STATEMENT OF HON. MARSHA BLACKBURN, A REPRESENTATIVE IN CONGRESS FROM THE STATE OF TENNESSEE Mrs. Blackburn. Thank you, Madam Chairman. I will submit my full statement. A couple of comments. I think that the Sony and the Epsilon breaches raise a lot of questions with our constituents. What they are asking us is, number one, how do you minimize identity theft? Number two, they want proper notifications from the venders that they are doing business with. And number three, they want to see better coordination with law enforcement. They feel as if this is missing. And I know that as we address this, what we are going to have to look at is better government coordination, incentives for industry cooperation in this issue, stricter penalty deterrents against hackers, and a flexible framework for risk assessment and breach alerts. As we do this, I hope that we will continue to look at the threat of digital protection of intellectual property. The two are interrelated and they both deserve attention. And I have to tell you, with the new music cloud services from Apple, Google, and Amazon, my concern is there that we hold everybody accountable and secure the integrity of that system. I do want to highlight that on the issue of the illegal downloads and file sharing, my home State of Tennessee has just passed and signed into law a bill that puts in place penalties for this. They have made this a crime in our State, and I am glad they did it because losing content to the rogue Web sites not only becomes an issue for the entertainment industry, but it exposes consumers to viruses, dangerous products, and increases the likelihood of data theft. So I thank you all for being here and I yield back my time. [The prepared statement of Mrs. Blackburn follows:] Prepared Statement of Hon. Marsha Blackburn I thank the Chair for holding this hearing on securing our online data and privacy. This is a timely subject of importance not only for our economy, but also for our virtual and physical safety. Last year Tennessee ranked 18th for fraud, and 19th for identity theft complaints nationwide. But the disturbing proliferation of data theft knows no boundaries in the virtual marketplace. And the Epsilon and the two Sony breaches raise the stakes of our policy response. Just this week, after problems with the Android app for Skype were apparently fixed, consumers reported receiving robo- calls soliciting their credit card information. Representatives from the industry have an obligation to explain to the American people exactly how our data is being hijacked, and what exactly they plan to do about it. In examining the lifecycle of these data breaches, an obvious and disturbing pattern can been seen in lagging consumer notifications. It's a trend I fear perpetuates industry's ``culture of damage control''--a business strategy that accelerates identity theft and virtual phishing schemes. We need a framework that gives consumers at least a fighting chance to protect the ``Virtual You''--one's online identity--not just the false sense of security they have been fed. I look forward to the witnesses' testimony, and to an open discussion about how we can secure our data and privacy in the virtual realm. I yield my time. Mrs. Bono Mack. I thank the gentlelady. And the chair recognizes Mr. Stearns for 2 minutes. OPENING STATEMENT OF HON. CLIFF STEARNS, A REPRESENTATIVE IN CONGRESS FROM THE STATE OF FLORIDA Mr. Stearns. Thank you, Madam Chair. I think it is mentioned by the chairwoman, the FTC recently reported 9 million Americans have fallen victim to identity theft. And I think it is sort of puzzling, a corporation as strong and comprehensive as Sony, they would, you would think, have the ability to certify that their data is secure. As recently mentioned, over 45 States have adopted a data breach notification requirement, but, of course, there is no law on a federal basis. So it is good that you folks are here so we can ask you some questions about, you know, perhaps if you know who the people were, what was the requirements that you set up in a corporation as extensive as Sony, and do you think there is a criminal case here that should be prosecuted? So there are lots of questions so I appreciate your coming here. As many of you know, I had a bill when I was chairman of the subcommittee that we got out of the House. Unfortunately, it did not get through the Senate. And I have introduced it with Mr. Matheson again, which simply required the Federal Trade Commission to develop these regulations requiring persons that own or possess electronic data to establish necessary security policies and procedures, as well as notification mechanism. So both of our witnesses today certainly have within their power to provide the software, the data security provisions that are necessary. I think it must be puzzling to them as well as to us why this happened to them considering how sophisticated both of them are. I have had the opportunity to talk to them in my office, so it is very appreciative that you took the time to come here and talk to us and we look forward to your testimony. Thank you. Mrs. Bono Mack. I thank the gentleman. And the chair recognizes Mr. Olson for 1 minute. OPENING STATEMENT OF HON. PETE OLSON, A REPRESENTATIVE IN CONGRESS FROM THE STATE OF TEXAS Mr. Olson. I thank the chairwoman for her leadership in calling this timely hearing. As we all learned this morning, overseas hackers from China hacked into Google email accounts. Like Sony, Epsilon, and now Google, my home State of Texas has experienced a massive data breach in April of this year when almost 3.5 million Texans had their personal information, their names, mailing addresses, and Social Security numbers compromised from the office of the Texas Comptroller of Public Accounts, and it was posted to a public server. There is a clear need for government, businesses, and citizens to work together to protect citizens' personal information. I look forward to working with the chairwoman on comprehensive data security legislation. I thank the witnesses for coming. I yield back the balance of my time. Mrs. Bono Mack. I thank the gentleman and turn our attention to the panel. We have a single panel of very distinguished witnesses joining us today. Welcome. Each of you have a prepared statement that will be placed into the record, but if you could summarize your statements in your remarks, we would appreciate it. On our panel, we have Jeanette Fitzgerald, General Counsel for Epsilon Data Management, LLC. Also testifying is Tim Schaaff, President, Sony Network Entertainment International. Good afternoon, and thank you both very much for coming. You will each be recognized, as I said, for 5 minutes. To help you keep track of time, there is a clever little device in front of you: red, yellow, green. And when the light turns yellow, please summarize as you would a traffic light. So Ms. Fitzgerald, you are recognized for 5 minutes. And please remember the microphone and pull it close to your mouth if you would. STATEMENTS OF JEANETTE FITZGERALD, GENERAL COUNSEL, EPSILON DATA MANAGEMENT, LLC; AND TIM SCHAAFF, PRESIDENT, SONY NETWORK ENTERTAINMENT INTERNATIONAL STATEMENT OF JEANETTE FITZGERALD Ms. Fitzgerald. Ranking Member Butterfield, and distinguished members of---- Mrs. Bono Mack. Sorry. Excuse me. Would you pull the microphone up? Ms. Fitzgerald. Closer? Better? Mrs. Bono Mack. Thank you. Ms. Fitzgerald. Good morning. Chairman Bono Mack, Ranking Member Butterfield, and distinguished members of the subcommittee, my name is Jeanette Fitzgerald, and I am the general counsel for Epsilon Data Management. Thank you for inviting me to present Epsilon's testimony on data security. I hope that I can provide information today in going forward that will act as a helpful resource as you consider data security legislation that is in the best interest of both consumers and business. My full written testimony has been submitted for the record. I will summarize it here and hope to leave you with three main points. First, who is Epsilon and how do we provide important data management services for our clients? Second, how the attack of March 30 occurred and what we are doing to apprehend the perpetrators and improve our own data security. And finally, why we think national data breach notification legislation is important. Epsilon is the leading provider of permission-based email marketing services. Our clients, some of the world's largest and best-known consumer and financial services brands count on us to send their email messages to their customers, the individual consumer. And as we all know, major brands use email messages to provide consumers with timely information about new products and sales and events, among other things. Epsilon ensures that these email messages comply with applicable legal requirements, including CAN-SPAM Act. To earn and keep our clients' trust, Epsilon became the first in the industry in 2006 to certify that its information security program complied with the standards issued by the International Association of Standardization, known as ISO. ISO, a highly regarded organization, is recognized by over 160 countries around the world, including the United States, as identifying best practices for information security management. The standards are demanding, requiring over a year to earn initial certification. We are proud that Epsilon leads the industry and that we have achieved yearly recertification, which requires proof that the company is improving its security program each year. Notwithstanding our internal security procedures and our compliance with these rigorous data security standards, as you know, Epsilon was the victim of a criminal hacking incident at the end of March. Since our information security program was designed to identify and respond to attacks and threats, we were quickly able to detect the unauthorized download activity, which triggered Epsilon's security incident response program. Our investigation, both internal and with an independent third party, is coordinated closely with the Secret Service and is still ongoing. But we can say that the initial investigation confirms that only email addresses and, in some cases, first and last names were affected by this attack. Again, only email addresses and, in some cases, first and last names were affected. The details of what happened after the attack are in my written statement that has been submitted for the record. We are greatly troubled that this criminal incident has called into question our commitment to data security. But I want to leave you with four main points about what happened and how Epsilon responded. First, our internal response to the criminal attack was immediate. We isolated computers and changed employee access rights. Second, our forensics investigation began within hours. We also reached out to law enforcement just as quickly. Third, notification to our clients also occurred on the same day, and we released a public statement and posted additional public information on our Web site shortly thereafter. And finally, now and going forward, we reiterate our commitment to working with the Secret Service, apprehending the hackers, and improving our own security. Companies like Epsilon are on the frontlines in the fight against data theft. We also believe Congress has an important role to play in protecting consumers. To that end, Epsilon fully supports legislation that would create a uniform standard for data breach notification. The current patchwork of over 45 individual State breach notification laws is confusing. A uniform national law, on the other hand, would provide predictability and equitable protection for consumers, regardless of their State of residence. Chairman Bono Mack, Ranking Member Butterfield, and members of the subcommittee, we look forward to working with you as the legislative process moves forward. I sincerely hope that the information I am able to provide at this hearing is helpful to the subcommittee as it considers this critical issue. Thank you. [The prepared statement of Ms. Fitzgerald follows:] [GRAPHIC] [TIFF OMITTED] T1258.001 [GRAPHIC] [TIFF OMITTED] T1258.002 [GRAPHIC] [TIFF OMITTED] T1258.003 [GRAPHIC] [TIFF OMITTED] T1258.004 [GRAPHIC] [TIFF OMITTED] T1258.005 [GRAPHIC] [TIFF OMITTED] T1258.006 [GRAPHIC] [TIFF OMITTED] T1258.007 Mrs. Bono Mack. Thank you, Ms. Fitzgerald. And Mr. Schaaff, you are recognized for 5 minutes. STATEMENT OF TIM SCHAAFF Mr. Schaaff. Thank you. Chairman Bono Mack, Ranking Member Butterfield, and other distinguished members of the subcommittee, thank you for providing Sony with this opportunity to testify on cyber crime and data security. My name is Tim Schaaff and I am president of Sony Network Entertainment International, a subsidiary of Sony Corporation based in California, where we employ approximately 700 people in five offices around the State. I am chiefly responsible for the business and technical aspects of Sony's PlayStation Network and Curiosity, an online service that allows consumers to access movies, television shows, music and video games. Sony Network Entertainment, Sony Online Entertainment--another subsidiary of Sony's--and millions of our customers were recently the victims of an increasingly common digital age crime--a cyber attack. Indeed, we have been reminded in recent days of the fact that no one is immune from the threat of cyber attack. Businesses, government entities, public institutions, and individuals can all become victims. The attack on us, we believe, is unprecedented in its size and scope. Initially anonymous, the underground group associated with last year's WikiLeaks-related cyber attacks openly called for and carried out massive denial-of-service attacks against numerous Sony internet sites in retaliation for Sony bringing action in Federal Court to protect its intellectual property. During or shortly after those attacks, one or more highly skilled hackers infiltrated the servers of the PlayStation Network and Sony Online Entertainment. Sony Network Entertainment and Sony Online Entertainment have always made a concerted and substantial effort to maintain and improve their data security systems. We hired a well respected and experienced cyber security firm to enhance our defenses against the denial-of-service attacks threatened by anonymous, but unfortunately, no entity can foresee every potential cyber security threat. We have detailed for the subcommittee in our written testimony the timeline from when we first discovered the breach. But to briefly summarize, the first indication of a breach occurred on Tuesday, April 19 of this year. On Wednesday, April 20, we mobilized an investigation and immediately shut down all of the PlayStation Network services in order to prevent additional unauthorized activity. After two highly respected technical forensic firms were retained to assist in a time-consuming and complicated investigation, on Friday, April 22, we notified PlayStation Network customers via post on the PlayStation blog that an intrusion had occurred. After a third forensic firm was retained, on Monday, April 25, we were able to confirm the scope of the personal data that we believed had been accessed. And although there was no evidence credit card information had been accessed, we could not rule out the possibility. Therefore, the very next day, Tuesday, April 26, we issued a public notice that we believed the personal information of our customers had been taken. And that while there was no evidence that credit card data was taken, since we could not rule out the possibility, we had to acknowledge that it was possible. We also posted this on our blog and began to email each of our accountholders directly. We did not merely make statements on our blog. On Sunday, May 1, Sony Online Entertainment, a multi-player online videogame network, also discovered that data may have been taken. On Monday, May 2, just one day later, Sony Online Entertainment shut down this service and notified customers directly that their personal information may have also been compromised. Throughout this time, we felt a keen sense of responsibility to our customers. We shut down the networks to protect against further unauthorized activity. We notified our customers promptly when we had specific, accurate, and useful information. We thanked our customers for their patience and loyalty and addressed their concerns arising from this breach with identify theft protection programs for the U.S. and other customers around the world where available, as well as a welcome-back package of extended and free subscriptions, games, and other services. And we worked to restore our networks to stronger security to protect our customer's interests. Let me address the specific issues you are considering today: notification of consumers when data breaches occur. Laws and common sense provide for companies to investigate breaches, gather the facts, and then report data losses publicly. If you reverse that order issuing vague or speculative statements before you have specific and reliable information, you either send false alarms or so many alarms that these warnings may be ignored. We therefore support federal data breach legislation and look forward to working with the subcommittee on the particulars of the bill. One final point--as frustrating as the loss of networks for playing games was for our customers, the consequences of cyber attacks against financial or defense institutions can be devastating for our economy and security. Consider the fact that defense contractor Lockheed Martin and the Oakridge National Laboratory, which helps the Department of Energy secure the Nation's electric grid, were also cyber attacked within the past 2 months. By working together to enact meaningful cyber security legislation, we can limit the threat posed to us all. We look forward to this initiative to make sure that consumers are empowered with the information and tools they need to protect themselves from cyber criminals. Thank you very much. [The prepared statement of Mr. Schaaff follows:] [GRAPHIC] [TIFF OMITTED] T1258.008 [GRAPHIC] [TIFF OMITTED] T1258.009 [GRAPHIC] [TIFF OMITTED] T1258.010 [GRAPHIC] [TIFF OMITTED] T1258.011 [GRAPHIC] [TIFF OMITTED] T1258.012 [GRAPHIC] [TIFF OMITTED] T1258.013 [GRAPHIC] [TIFF OMITTED] T1258.014 [GRAPHIC] [TIFF OMITTED] T1258.015 [GRAPHIC] [TIFF OMITTED] T1258.016 [GRAPHIC] [TIFF OMITTED] T1258.017 [GRAPHIC] [TIFF OMITTED] T1258.018 [GRAPHIC] [TIFF OMITTED] T1258.019 [GRAPHIC] [TIFF OMITTED] T1258.020 [GRAPHIC] [TIFF OMITTED] T1258.021 [GRAPHIC] [TIFF OMITTED] T1258.022 [GRAPHIC] [TIFF OMITTED] T1258.023 [GRAPHIC] [TIFF OMITTED] T1258.024 [GRAPHIC] [TIFF OMITTED] T1258.025 [GRAPHIC] [TIFF OMITTED] T1258.026 [GRAPHIC] [TIFF OMITTED] T1258.027 [GRAPHIC] [TIFF OMITTED] T1258.028 Mrs. Bono Mack. Thank you, Mr. Schaaff. And I would like to thank both of you for your opening statements, as well as for your unique insight into these disturbing data breaches. I am confident that the lessons learned with assist us in our efforts to develop new online safeguards for American consumers. And I am going to recognize myself for the first 5 minutes of questioning. And, Mr. Schaaff, given the extreme makeover of Sony's online security protocols, it does beg the question why weren't many of these safeguards, such as having a chief security information officer in place before the April data breaches? Mr. Schaaff. We believe that the security that we had in place was very, very strong and we felt that we were in good shape. However, as the attacks indicated, the intensity and sophistication of the hack was such that even despite those best measures that we had taken, it was not sufficient. And as we recognize moving forward that the scrutiny that we are likely to be under from the hackers will continue, we have made additional commitments to enhance the security of our networks. In addition, we had been working for some months now, more than 18 months to expand both the capacity and security of our network. We are a new business but we are a very fast-growing business. Mrs. Bono Mack. All right. Let me jump ahead. Mr. Schaaff. Sure. Mrs. Bono Mack. You indicated with Sony in the May 3 letter that you contacted the FBI on April 22, which was 2 days after it determined the breach had in fact occurred. Why did Sony wait 2 days to notify law enforcement? Mr. Schaaff. My understanding is that we notified them as soon as we had something clear that we could report that indicated some sign of external intrusion that would be unauthorized or illegal. Mrs. Bono Mack. Your testimony indicates four servers were taken offline on April 19 before you pulled the plug on all 130 servers. Can you tell us what information was different that was stored on those initial four servers? Mr. Schaaff. Well, these were part of a larger network of machines and we believed this was just the first entry point that the hacker may have used to get into the network, and upon discovering them, we immediately shut them down. But there were other servers that were also attacked by the hackers as well. Mrs. Bono Mack. Some media reports indicate Sony's servers may not have had up-to-date patches or firewalls prior to the attack. Is that true? Mr. Schaaff. That is actually patently false. The Apache servers were fully up to date, fully patched. And in fact, we had had several layers of firewalls in place, also contrary to so many of the things you may have read on the internet. As you know, the internet is not always a reliable source of factual information. Mrs. Bono Mack. And you state that you believe the cyber attack on Sony was unprecedented in both size and scope. Can you explain why you believe it is unprecedented? Mr. Schaaff. Well, we believe that the sophistication of the attack, the collection of activities that were undertaken, the period of time in which the hackers were carefully exploring the network, and then ultimately the scope of the service that was breached makes it quite a remarkable attack. And despite the deep security measures that we had taken, it was nevertheless insufficient to guard against these attacks. Mrs. Bono Mack. Was the consumer data you held encrypted? And why or why not? Mr. Schaaff. So, of course, the credit card information that was held was encrypted. Password login data was protected using cryptographic hash functions. And these practices are in line with industry practice. Mrs. Bono Mack. Thank you. Ms. Fitzgerald, would greater security requirements have prevented your breach? And if not, what added protection are your new security measures providing? Ms. Fitzgerald. At the time, we had very extensive security as I noted in my opening statement and the written statement I provided. We have continued through the investigation to evaluate additional things that may be done to strengthen both our networks and any of the access points. We have also decided to hire some outside experts to even evaluate the network further and see if there is anything else in different parts of our network that need to be adjusted. Mrs. Bono Mack. Coming as a consumer who received multiple notices about your breach, there are also indications that consumers received notice of the breach from your business customers for which, in some cases, they hadn't had a purchase or customer relationship for 4 or 5 years. Do you ever purge your data and why do you hold onto information for as long as you do? Ms. Fitzgerald. So let me step back a second to remind everyone how Epsilon plays in this. Epsilon is a service provider to the well-known names that you may have received notifications from, and they have the relationship with the consumer. What data we hold is determined by the client, and the client then tells us what to hold and what we then do with it in terms of sending out notices or any sort of marketing messages is entirely up to the client. It is not---- Mrs. Bono Mack. Do you advise them on when it might be a good time to purge data? Ms. Fitzgerald. It depends on what they want to do with the data. And there is also opt-out data that would have been held because in order to comply with CAN-SPAM, you have to maintain records of who has opted out. So if, 2 years ago, you opted out and you haven't had any activity, that list would still be there because you have to comply with CAN-SPAM. So we have to be able to duplicate or de-duplicate and take those names out any time that we do a mailing. Mrs. Bono Mack. OK. Thank you. My time has expired. I will recognize the ranking member, Mr. Butterfield, for his 5 minutes. Mr. Butterfield. Thank you, Madam Chairman. Mr. Schaaff, let me start with you and if I have any time remaining, I will go over to Ms. Fitzgerald. Mr. Schaaff, I understand that your internal investigation has not turned up any evidence suggesting that credit card data was taken from the network, but to me, that doesn't necessarily mean that the data was not taken, just that you haven't turned up any digital fingerprints that would allow you to know with certainty that it was taken. And I think you see what I am saying there. Help me with that. How certain are you that the data was not taken in the attack? Mr. Schaaff. Well, as you know, we have been engulfed in an intensive investigation over the past 6 weeks since the breach occurred, and we have looked deeply at the logs related to the databases. And in those logs we have found no clear evidence that there was any access made to the credit card information, and we found plenty of evidence that suggests that that data was not accessed. That is the basis for today's statements that we do not believe the credit card information was compromised. Mr. Butterfield. Now, in your testimony, you mentioned that the attack took place on April 19, that the PlayStations were shut down on April 20, and that you did something on April 22. Help me with that if you could shed some light on what you did on April 22. Mr. Schaaff. On April 22, this was the point at which we first notified consumers that there had been an intrusion. We were trying to understand what had happened to the network, and we were actively beginning the investigation of that breach. And at the point that we were able to determine that there had been an intrusion, we immediately notified consumers so that they would be aware of what had occurred, even though at that time we were not yet able to confirm precisely which data may have been compromised. Mr. Butterfield. So is it your testimony that on April 22, you began the process of notifying the consumers? Mr. Schaaff. Well, we notified them on the PlayStation blog of the intrusion, but then on April 26, we followed that up with an additional notification regarding more specifics related to the actual data that may have been breached and we began immediately notifying consumers starting from that date via email of the breach as well. Mr. Butterfield. But the April 22 announcement was simply on the internet? It was on the blog? Mr. Schaaff. That was posted on the PlayStation blog. The PlayStation blog is one of the most active and popular blogs on the web. It is currently ranked about number 20, just behind the White House blog. So it is a very, very expected place for our consumers to look for information. Mr. Butterfield. Do you have any way of knowing how many consumers actually read the statement? Mr. Schaaff. I don't know the answer to that off the top of my head. We can investigate and---- Mr. Butterfield. But 7 days after the breach was when official notification was issued? Mr. Schaaff. We were not able to determine until the day that we had notified consumers. We were searching for evidence that would allow us to confirm the status of the credit card information and not being able---- Mr. Butterfield. Do you think 7 days was a reasonable time? Mr. Schaaff. Actually, what has been interesting from my perspective is that we have continued this investigation in the successive weeks, and as you hear me speaking today, some of our conclusions with respect to credit card information have changed somewhat from our original statements. And that change has occurred because of the continuing investigation. In the abundance of caution, we acknowledge the possibility that credit cards would have been taken in our announcements on the 26th. But as you can see, the situation changes as the investigation proceeds, and we felt it would have been irresponsible if we had notified consumers earlier with partial or incomplete information. Mr. Butterfield. But you have, based on your experience here, made some corrections and some adjustments in the credit card data that you collect? Mr. Schaaff. We have been working to increase the security of the entire network and additional controls related to credit card data have also been put in place, yes. Mr. Butterfield. And how do these measures compare to those for the other types of personal information that you have, the credit card data versus the other information? Mr. Schaaff. Yes, excuse me. The credit card information is the most highly protected and guarded information. It is all encrypted and so even if it is taken, it is not likely to be useful to the hacker. Mr. Butterfield. Is it true that user passwords were hashed and not encrypted? Is that true? Mr. Schaaff. That is true. It is true that they were hashed using cryptographic hash functions. That is an industry practice which is very standard. It is not an unusual practice at all. Mr. Butterfield. Industry standard. Well, why don't you use any type of encryption in your procedures? Mr. Schaaff. It is a form of protection that is very, very closely related to encryption, and I am not an expert in cryptography so I am not sure that I could answer the question in a more detailed way. Mr. Butterfield. What is irreversible encryption? Mr. Schaaff. Irreversible encryption is my understanding of the definition of a cryptographic hash. I am sorry. This is-- wait. OK. Mr. Butterfield. Ms. Fitzgerald, your testimony states that Epsilon's internal investigation revealed that the login credentials of the employee who reported unusual and suspicious download activity had been compromised. And in layman's terms, I suppose, I assume this means that the employees credentials had been hijacked and been used by a hacker to carry out the intrusion into your network and to steal consumers' email addresses. Can you please tell me a little bit more about what that means, that the employee's login credentials were compromised? Ms. Fitzgerald. Well, what we had understood during the investigation is that the credentials were somehow used based on the logs, though not necessarily by that person, to actually download that information. That is why we then immediately--our system kicked into place and immediately we saw that there was improper downloads and so our security system kicked in and then we knew that there was a problem and we shut their access down and anybody else who had credentials at that level and took that computer off the system. Mr. Butterfield. Thank you. My time has expired. Mrs. Bono Mack. I thank the gentleman and recognize the gentleman from Florida, Mr. Stearns, for 5 minutes. Mr. Stearns. Thank you, Madam Chair. Let me be sure I understand, Ms. Fitzgerald, exactly what was taken. It is our understanding emails were taken and the name of the people whose email was taken. Is that correct? Ms. Fitzgerald. I am sorry. Was that to me? Mr. Stearns. Yes. Ms. Fitzgerald. I am sorry. Mr. Stearns. What was actually taken, as I understand it, is emails---- Ms. Fitzgerald. It was email addresses, and in some cases, first and last names. Mr. Stearns. First and last names. OK. And that was all? Ms. Fitzgerald. Yes. Mr. Stearns. And you said that you notified all 50 to 75 customers. Is that correct? Ms. Fitzgerald. There were about 50 customers of our clients, that were affected. Mr. Stearns. OK. Ms. Fitzgerald. And we notified them. Mr. Stearns. Would you provide the committee the complete list of those? Ms. Fitzgerald. The names of those clients are subject to agreements that we have with them, and we are supposed to keep those confidential. Mr. Stearns. So you cannot provide us---- Ms. Fitzgerald. So we notified them promptly so they could---- Mr. Stearns. No, I know you notified them, but you cannot provide the committee with these names? Is that what you are saying today? Ms. Fitzgerald. Not at this point, no. Mr. Stearns. Now, I have in our material that some of these people are J.P. Morgan Chase, Capital One, Citibank, Best Buy, Verizon, Target, Home Shopping Network, and Verizon. Is that part of the 50 to 75? Ms. Fitzgerald. I recognize most of those names as being ones that sent us notification---- Mr. Stearns. They are people that have huge number of people, so the impact of this 50 to 75, we cannot even comprehend how many Verizon has. So can you extrapolate, not telling us in detail, but if Verizon is one of your customers and you had a breach with the emails and names, does that mean that perhaps millions of names from Verizon had been breached? Ms. Fitzgerald. There could be many. Mr. Stearns. Just yes or no. Ms. Fitzgerald. Yes. Mr. Stearns. Yes, oK. Now, with Sony, the question is, as I understand it, the password for the Sony PlayStation was breached. Is that correct? Mr. Schaaff. Well, we believe that there were a number of different types of information accessed, including first name and last name, address, date of birth, login, password, login address---- Mr. Stearns. For the Sony PlayStation? Mr. Schaaff. For the Sony PlayStation Network, yes. Mr. Stearns. OK. And what about their credit cards? Mr. Schaaff. As I said, we had originally stated that there was a possibility. We could not rule out the possibility that the credit card information had been accessed. At this point in time, we do not see any evidence that it has been. Mr. Stearns. OK. When you look at the person's credit card together with personal information, his password for Sony PlayStation, would one person have all of that breached for that one person or is it segmented so somebody got their password, somebody got their credit card, somebody got their person or is all this information together when it was breached? Mr. Schaaff. It is difficult for us to know exactly which data was taken, but it is likely that they would have been taken together, but we don't know for which accounts that would have been. Mr. Stearns. And what is a conservative estimate the number of people were affected by this breach? Mr. Schaaff. Well, so we have announced that there were approximately 77 million accounts that could have been accessed. When we took the network offline, obviously all of our customers were affected for the period of time that the network has been down, but that is part of the reason why we have provided the identity theft insurance, identity theft protection program, and these welcome back programs was to appreciate and acknowledge the loss of access to the network that our customers experienced and to address the concerns that they may have regarding the loss of their personal information. Mr. Stearns. Is it true that you brought suit to protect your IP against the hackers of PlayStation III device? Mr. Schaaff. That is true. Mr. Stearns. Why did you bring this suit? Mr. Schaaff. Well, just like the music industry and the movie industry, the PlayStation business is built upon intellectual property. Content providers invest millions of dollars to create titles that we then help them to distribute in our business and the employment of literally tens of thousands of people around the country. Mr. Stearns. Knowing what has happened to you with this breach, would you say that you would do it again? Mr. Schaaff. I am sorry. I didn't hear the question. Mr. Stearns. Knowing what has happened with this breach, would you go ahead and have done that suit again in hindsight? Mr. Schaaff. Well, I think this is one of the great challenges right now is how do companies protect their content businesses? I mean I think we made the right decision. Did it have consequences? It appears to have had some fairly negative consequences for the company. But if we hadn't done something, I think it would be playing out in a different company later on. Mr. Stearns. OK. Mr. Schaaff. I think this is a big issue for the Nation. Mr. Stearns. Now, assuming we have federal legislation, do you think federal legislation to address security breaches would help? Because I understand both of you are in States where we have state legislation and that didn't seem to necessarily force you to have a secure data security department. So why would federal legislation make it better than the States who have already passed? And you didn't comply, evidently, with the States. Mr. Schaaff. Well, actually, I think that the issue regarding the States' rights--I am not a lawyer. Let me mention up front I am not a lawyer. Mr. Stearns. Right. Mr. Schaaff. But my understanding here is that there are a variety of laws in a number of the States, but the laws are often seemingly in conflict and they can create very complicated situations for us to understand how we should behave properly with regard to notification obligations. Regarding the security of the network, I think the evidence of Epsilon, of Sony, of many other companies that have been reported in the news in the last several weeks indicates that despite spending millions of dollars to secure your networks, despite all of the best methods known to us, our networks are not 100 percent protected. It is a process that requires continual investment, and we do that, but I think without additional support from the government, it is unlikely we will all collectively be successful, and that will threaten the livelihood of the internet, the growing internet economy. Mr. Stearns. Thank you. Mrs. Bono Mack. The gentleman's time has expired. The chair recognizes Mr. Guthrie for 5 minutes. Mr. Guthrie. Thank you, Madam Chairman, for having this hearing. I appreciate it very much. So just to follow up on what Mr. Stearns said, the patchwork of state laws, the different state jurisdictions complicated your ability to respond? You didn't say that. Is that what I heard? Mr. Schaaff. I was responding specifically to the issue about the notification obligation. Mr. Guthrie. Right, the notification state laws. Mr. Schaaff. It is my understanding that there are some conflicting obligations there. Mr. Guthrie. So a federal standard would be---- Mr. Schaaff. A federal standard that would preempt the states would be extremely helpful. Mr. Guthrie. OK. I just want to get kind of the nature--so Epsilon is a vendor for you? Is Epsilon a vendor for Sony? So did the hacker go to Epsilon into Sony or Sony to Epsilon to get to the other--how did that work? Mr. Schaaff. I am sorry. Let me clarify. These are actually two completely separate breach events. Mr. Guthrie. OK. Mr. Schaaff. So the activity at Epsilon was completely unrelated to--as far as we know--what happened at Sony. Mr. Guthrie. So you are not a vendor with Epsilon? This is two completely separate--oK. So the other customers--oK. I was thinking--I apologize. But your other customers, they came--the Epsilon, they got to your system, and then through your system were able to--at least the companies that you notified, the Verizons, the Krogers that was mentioned earlier, that was how that breach worked? Ms. Fitzgerald. So as a vendor, our ability to send out email addresses on behalf of those clients requires us to maintain those email addresses for them. Mr. Guthrie. Right. Ms. Fitzgerald. And that is how the hackers got in and got that information. Mr. Guthrie. OK. OK. Has Sony been victim before of any type of breach? And if so, how did that--not to this level, I know, but---- Mr. Schaaff. We certainly experience a constant level of fraud, and we are under regular probing by hackers and others. I mean I think it is a standard part of anybody who is in the internet business these days. Mr. Guthrie. And for both of you, too, I know I am manufacturing background and we did ISO 9000, which was a set of standards for quality control. They have ISO 14000, a set of standards for environmental--and they are good practices to follow, but they leave a lot of interpretation to the businesses because otherwise they are formed by committee, and it would be difficult to change every time something needs to be changed. I am not familiar with this particular standard that you are talking about, but is it sufficient if you follow the ISO standards to--I guess my question is your industry is so fast-changing that when you are in the automotive industry, which I am in, you put a standard in place, it takes a while for things to innovate that the standard is out of date. It appears to me when I saw ISO that it would be difficult for them to keep up with the changes in the industry or, I guess what I am saying, the ability of people who hack to innovate to find new ways into your system. So is it sufficient--I guess ISO being certified sufficient, you think? Ms. Fitzgerald. We don't use the ISO as the only thing we do. We have lots of audits by our clients. We have 70 audits we have to do. And then, frankly, we have our own security program where we are continually trying to upgrade our systems and to make sure that we make things as tight as we can, but the hackers are very sophisticated. This wasn't some guy in a garage just coming after us. These are sophisticated guys. And I have talked to the Secret Service enough times now to know that we are not the only one and that they are working with the FBI. And there is a concerted effort to go after these guys. Mr. Schaaff. Um-hum. Yes, I would concur. I mean I think these guidelines and standards are important for the industry to move forward, but they are far from sufficient. And if they had been sufficient, I, you know, I wouldn't be here. And I think that we are all under attack and without additional measures to be taken and without kind of constant renewal of our practices, it is not going to be sufficient to fight the latest attacks. Mr. Guthrie. OK. Thank you. I guess one thing that I am really kind of concerned about as we move forward, I know Sony--any time you spend money because somebody did something illegal, that is an inefficiency to everybody. But the two- or three-store small business in Kentucky that maintains their clients files and just having the resources to be able to respond to protect their clients, to protect their customers. And just do you have any estimate of how much money just these events are going to cost your firm and hits, you know, the economy overall because that is what---- Mr. Schaaff. I believe we have made statements publicly estimating a cost something in the range of $170 million for this particular incident. And obviously, as you note, for smaller businesses, number one, the ability to secure their networks as effectively is less because of the economics of that. And the evidence that I have seen in various reports suggest that the prevalence of successful attacks on small and midsize businesses is even higher than we see with the larger companies. It is a scary situation. Mr. Guthrie. Well, thank you. I yield back to the chairwoman. Mrs. Bono Mack. I thank the gentleman and the chair notes that we are being called to the floor for votes. My intention is to try to get through two more member questioning 5-minute segments before we recess. So the chair now recognizes Mr. Olson for 5 minutes. Mr. Olson. I thank the chairwoman. And again, I thank the witnesses for coming and giving us your expertise, your time today. As I stated in my opening statement, my home State of Texas experienced a serious and troubling data breach earlier this year. Names, addresses, social security numbers, and in some cases, birthdates and drivers' license numbers of state retirees and unemployment beneficiaries were posted unencrypted on a public server. In response, our state attorney general and the FBI have launched a criminal investigation into this data breach. Unfortunately, these kind of breaches are happening more frequently and they cause businesses tens of billions of dollars annually. The Federal Trade Commission estimates that 9 million individuals in the United States have their identities stolen every year. This is the equivalent of approximately 17 identities stolen every minute. That means that during the course of this hearing, if all of my colleagues and I take up our full 5 minutes, 85 IDs across this country will have been stolen. In response to the Texas data breach, the comptroller of public accounts launched a Web site called Texas Safeguard, which was created as a tool for Texans to receive up-to-date information about the breach, along with recommended security steps to take. And of note, they actually put a toll-free number up for folks to call and the comptroller is offering credit monitoring at no charge. There is also a frequently- asked-questions page which outlines six steps people can take to protect themselves. But this burden is placed upon these victims of this breach and they have got to spend their own time enrolling in credit monitoring, placing fraud alerts on their credit files, requesting credit reports, and so on, and so on, and so on. Ms. Fitzgerald, Mr. Schaaff, given the breaches your companies have experienced and all the heartache and lost revenue, all the upset customers, all the resources you have had to expend to determine how these breaches occurred, I don't want to put words in your mouth, but you do think that there is a clear need for a comprehensive federal data breach and notification law, one that will create a uniform standard and preempt the current patchwork of state laws? Yea, nay? Ms. Fitzgerald. I do believe that it would be great if we had a federal data breach notification law that did preempt all of the state laws so it would be straightforward and companies would know exactly what they needed to take care of and who they needed to notify and when they needed to notify? Mr. Olson. Mr. Schaaff? Mr. Schaaff. Sony is also very supportive of such legislation and we would be very happy to participate and help in the formation of that legislation. Mr. Olson. All right. Thank you. And Ms. Fitzgerald, this is just for you, but why did you choose to contact law enforcement, the FBI, and the Secret Service as soon as you became aware of the incident? And is this a typical response for Epsilon to get law enforcement involved when a breach occurs when you don't necessarily know the extent of it? Ms. Fitzgerald. Well, we knew pretty quickly that there had been some data that had been downloaded and taken by somebody who wasn't authorized, and therefore, it was a criminal act in our mind. And so we went to look for law enforcement, the right ones to help us go after the bad guys. Mr. Olson. OK. And for you, Mr. Schaaff? I know you and PlayStation had one heck of an April. But why did you conclude that notifying PlayStation Network customers via the PlayStation blog was, as you stated, ``one of the best, fastest, and most direct means of communicating with customers?'' Mr. Schaaff. In the years that PlayStation has been in business, we have managed this blog and it has become a very, very popular source of information for our customers about new game titles and all kinds of information related to PlayStation. And we know that it is a good way to get a message out to customers quickly. Of course, that wasn't the only way we communicated with our customers. We did follow up with public announcements through other channels, as well as email, direct emails to the consumers following the breach. Mr. Olson. OK. And one final question about sort of how you are prepared for this. I mean I know, Ms. Fitzgerald, for your testimony Epsilon had reactive plans in place ready to go if some sort of breach happened, and I assume that is the same for Sony. Mr. Schaaff. Absolutely. Mr. Olson. But, I mean, is there a specific entity within both of your companies that is proactive? I mean somebody you have got in your company that sort of looks at your security systems and tries to penetrate it, tries to find the weaknesses; I mean sort of a proactive approach instead of reacting to a breach, preventing a breach by recognizing weaknesses within the company? Mr. Schaaff. We have a successful approach the security involved both proactive as well as reactive approaches, and we definitely have those kinds of resources in place in my company and in Sony Corporation as a whole, an important part of our process. Ms. Fitzgerald. And I would agree with that also. Epsilon has that. Mr. Olson. OK. I see I am down to 16 seconds. I thank the witnesses again for your time. And at the risk of getting crosswise with the chairwoman and Mr. Stearns left, but go Mavericks. Mr. Schaaff. Thank you. Mrs. Bono Mack. The chair recognizes Mr. Harper for 5 minutes. Mr. Harper. Thank you, Madam Chair. I would ask you, Mr. Schaaff, why did it take Sony approximately 7 days to notify customers that their personal data had been compromised? Mr. Schaaff. Well, the basic essence here was the find the right balance between notifying customers as soon as we had some sense that something had gone wrong but not being irresponsible in that notification and creating undue stress or concern within the customer base. We immediately began an investigation and we were able to notify customers within a couple of days that we had had an unauthorized external intrusion. But it took us several more days to be able to clearly discern what information had been taken and even at that point, we were not able to rule out the possibility that credit card information had been taken. Nevertheless, we went ahead and made a public statement regarding the potential of those losses. Mr. Harper. I just want to be clear. So how long was it before any customers got notification? Mr. Schaaff. We first discovered unusual activity on the 19th. We shut down the network on the 20th of April, and we notified consumers on the 22nd of April. So it was basically 2 days. Mr. Harper. Did you notify all the consumers at that point? Mr. Schaaff. Well, so at that point we were intensely involved in this investigation to try to figure out what to notify the customers about. And so at that time we notifying using the blog that we believed that there had been an intrusion. And then beginning on the 26th when we made a lot of public announcements related to specific information that may have been lose we initiated through news channels, obviously our blog, as well as through a direct email campaign to the customers detailed information about the nature of the loss. Mr. Harper. How many notifications did each consumer receive? Mr. Schaaff. Well, my understanding is that in regard to the Sony PlayStation breach, that should have been approximately 77 million emails that were sent. Mr. Harper. Now, I understand but were they notified more than one time as you learned additional information? Mr. Schaaff. Well, we notified via the blog on the 22nd. We provide updates on that blog on a regular basis as to kind of the concurrent state of affairs, but I believe in terms of the email notifications related to the potential loss of data, that was a one-time event. Mr. Harper. Do you believe the news that you passed on, looking back now, do you believe it was done quickly enough? Mr. Schaaff. What I would say is that we tried very, very hard to find the right balance there, and I believe that if we had responded earlier, it would have probably been irresponsible. Even to this day we question whether we should have taken a little bit more time to finish the investigation with regard to the credit card information. I believe we probably struck the right balance, but it was a tough call. Mr. Harper. And I know there was a letter that was sent out on May 3 where you had indicated that there was no evidence of misuse of the customers' personal information that was accessed during that breach. We are a month past that point. Is that still your position on that? Mr. Schaaff. When we talked to the credit card companies, they have still told us that they see no signs of unusual activity related to this breach. Mr. Harper. And do you know where the attacks originated? Mr. Schaaff. Unfortunately, at this time we don't. Mr. Harper. OK. Mr. Schaaff. We are working with law enforcement and others to try to figure that out, but at this time we don't have any clear---- Mr. Harper. Of course, we certainly hear media reports or speculation, and I know you don't have it with any certainty, but there was one report that initially suggested that Amazon's pay-per-use cloud service may have been used. Is there any accuracy to that or any proof of that? Mr. Schaaff. Well, so what I know is the FBI is investigating that report, and at this time I don't have any other information about whether that is true or not. Mr. Harper. Now, does Sony Online Entertainment and Sony Network Entertainment, are they using the same server models and security protections and the software? Mr. Schaaff. We comply with the same types of industry practices and are subject to the same policies as far as being a part of the Sony Corporation. The specific architecture of each of those services is probably different because the types of services that we provide are different. But, you know, across the industry, most internet service providers are building their services out of largely the same basic components so there is probably a lot of commonality there. Mr. Harper. Thank you. Madam Chair, I yield back the balance of my time. Mrs. Bono Mack. I thank the gentleman. And at this point in time we are going to recess the committee to head over to the floor for vote. And our intention is to return as soon after as we can from the series of votes. It should be about 45 minutes is my guess. Things could change. So the subcommittee stands recessed until after the last vote on the floor. Ms. Fitzgerald. Thank you. [Recess.] Mrs. Bono Mack. The subcommittee will reconvene and come to order obviously. I wanted to thank you very much for indulging us and apologize that there has been a slight little change of plans with the minority headed over to the White House for a very important meeting with the President. We have agreed that we would conclude questions. But before I do that, I would like to offer the two of you the opportunity to give us any final thoughts you might have and any recommendations for legislation as we move forward in the process here. So I recognize each of you for 5 minutes to do that. And you don't have to take the full 5 minutes if you would like, but the time is yours if you would like it. Ms. Fitzgerald. Thank you. Honestly, as we have thought about this, we would greatly appreciate the opportunity to work with you and your staff and any members of your subcommittee to create a national data breach notification standard. The details within it would have to be worked out as we think through what would be all the ramifications. And I think clearly I would not be the only one with experience, but we would love to work with that on you. Mrs. Bono Mack. Mr. Schaaff? Mr. Schaaff. Thank you. I want to thank you again for the opportunity to come and speak today and especially thank you for all the work you have done related to intellectual property protection. This is a really critical part of the work we are trying to do to build and grow our business. As you heard in our testimony today and in the private session where we shared more technical details regarding the breach yesterday, despite taking what we believe to be extremely appropriate and substantial steps to build a safe and protected network, hackers were able to get into the network. The thing that is frightening about this is it is easy to focus on Sony and look at the things that we might be able to do in the future to strengthen our network, but the reality is because we are all building our networks out of the same basic ingredients, if there is a weakness in the way that we have built things, chances are, the weaknesses may lie in the components that we rely on from the variety of vendors that we all build our products out of. And I think that we are working together as industry to try to strengthen our processes and our practices and our technologies, but I think the conclusion that I would leave you with today is that without further assistance from the government, I think that we are all going to have a world of hurt in this internet economy. And we really would appreciate and request your assistance. And regarding the specific legislation, we are also extremely supportive of this and would welcome the opportunity to contribute and speak to you further regarding its development. Thank you. Mrs. Bono Mack. Well, I thank you both very much. And Mr. Schaaff, I would also like to address a comment earlier about the question of would you or would you not file suit again to protect your intellectual property, and I wanted to commend you on your answer. And I am glad that you did it then. And you know, too often people are afraid of being hacked and the retribution because of the decisions you make. Mr. Schaaff. It can be a lonely place. Mrs. Bono Mack. Well, I want to applaud you for that. And again, thank you both very much for the spirit with which you came before us today and the spirit of cooperation. I think the committee is very excited about the opportunity to work with you and to craft good legislation. So we have a unique opportunity now as a subcommittee to make certain that the future cyber attacks on American consumers will never again be a silent crime. So at this point I would like to remind all members they have 10 business days to submit questions for the record, and I ask witnesses to please respond promptly to any questions they receive. And the hearing is now adjourned. Mr. Schaaff. Thank you very much. Ms. Fitzgerald. Thank you very much. [Whereupon, at 2:14 p.m., the subcommittee was adjourned.] [Material submitted for inclusion in the record follows:] Prepared Statement of Hon. Henry A. Waxman I would like to thank Chairman Bono Mack and Ranking Member Butterfield for following this important issue. Data security is not a partisan issue. It is an issue that affects all of us because sooner or later everyone is vulnerable to cyber attacks: private sector companies of all sizes; federal, state and local governments; and the American public. Just yesterday, we learned of an attempted attack on Google email accounts that included efforts to steal email passwords and other information from high-ranking government and military officials--a stark reminder of the financial and national security risks posed by hackers. At last month's hearing titled ``The Threat of Data Theft to American Consumers,'' we reviewed how the federal government investigates data breaches and what it should do to ensure that private sector companies protect the personal information of their consumers. Today we are going to hear from Sony and Epsilon, two companies that recently suffered massive data breaches. We have all heard the numbers: the personal information in over 100 million user accounts was compromised in the Sony breach. The customers of more than 50 major corporations were affected by the Epsilon breach, including customers of Target, Best Buy, JP Morgan, and US Bank. While we will delve into the specifics of these two breaches, the point isn't to make an example of these two companies. We need to know how these breaches happened and to find out what these companies are doing, and what they can do better. And we need to understand the appropriate federal role in this area. We need a government that can partner with companies to make sure they do a better job protecting the information they demand of consumers. As I said at the last hearing, the private sector can, and must, safeguard personal information. If companies do not take reasonable steps to guard their data and they suffer a cyber attack or data breach, the cost to consumers can be immense. When it comes to data security, prevention is the best medicine and certainly the cheapest. Yet too many companies are not doing enough prevention and consumers are paying the price. We in Congress also have a role; we can conduct oversight and legislate when needed. The recent attacks on Sony, Epsilon, and now Gmail are proof that it is indeed time to legislate. In particular, Congress should pass the Data Accountability and Trust Act; H.R. 2221 from the 111th Congress. The bill requires companies to have reasonable data security measures in place and to notify consumers once a breach has occurred. It passed the House last Congress with strong support from both sides of the aisle. We should take swift action to pass it in this Congress. I look forward to today's hearing and working together to ensure that the private sector is doing all that it can to protect the personal information of the American people. ---------- Prepared Statement of Hon. Edolphus Towns Thank you Chairman Bono-Mack and Ranking Member Butterfield for holding this hearing today on the importance of Data Security to our nation. The information age has ushered in a new era in technology that offers many Americans the ability to access, store and transfer massive amounts of information at any given time. With the advent of the internet and the advancement of e-commerce, Americans have been able to engage in a variety of online activities that require personal information to be shared in cyber space. Unfortunately more often than not this information is compromised by computer savvy individuals that use this information to access the identity of their victims. Data breaches have become more common in recent years due to the massive amounts of personal information that are stored on computer servers which many people thought were secure. In April of this year Sony Corporation and Epsilon Data Management revealed they had been involved in two of the biggest data breaches this year. Sony made public that its Play Station Network had been breached on April 26th, 2011; however the breach took place one week prior to their notification of Play Station account holders. The Sony Play Station Network has over 77 million accounts that were compromised due to this lapse in security. It is my hope that this hearing will shed light on how this breach was able to take place and why it took a week for Sony to notify its account holders. Epsilon Data Management LLC is one of the largest email marketing companies in the country. Over 40 billion emails are sent from this company annually to consumers. On April 1, 2011 Epsilon revealed that an unauthorized entry to its email system had occurred, exposing the personal information of several million customers of companies employing Epsilon for marketing purposes. Reportedly consumer information had been available for months. Consumers must feel safe in knowing that the information that they share with companies involved in e-commerce is safe and secure. The recent data breaches at the Sony Corporation and Epsilon Data Management raise questions about what protocols are in place to protect consumers against hackers who would do them harm. Currently there is no comprehensive federal law that requires all companies that hold consumer's personal information to implement reasonable measures to protect that data. I look forward to working with my colleagues on this committee to ensure the American people that their personal information is kept safe from malicious cyber attacks. Thank you madam chair, I yield my time. ---------- [GRAPHIC] [TIFF OMITTED] T1258.046 [GRAPHIC] [TIFF OMITTED] T1258.047 [GRAPHIC] [TIFF OMITTED] T1258.048 [GRAPHIC] [TIFF OMITTED] T1258.029 [GRAPHIC] [TIFF OMITTED] T1258.030 [GRAPHIC] [TIFF OMITTED] T1258.031 [GRAPHIC] [TIFF OMITTED] T1258.032 [GRAPHIC] [TIFF OMITTED] T1258.033 [GRAPHIC] [TIFF OMITTED] T1258.034 [GRAPHIC] [TIFF OMITTED] T1258.035 [GRAPHIC] [TIFF OMITTED] T1258.036 [GRAPHIC] [TIFF OMITTED] T1258.037 [GRAPHIC] [TIFF OMITTED] T1258.038 [GRAPHIC] [TIFF OMITTED] T1258.039 [GRAPHIC] [TIFF OMITTED] T1258.040 [GRAPHIC] [TIFF OMITTED] T1258.041 [GRAPHIC] [TIFF OMITTED] T1258.042 [GRAPHIC] [TIFF OMITTED] T1258.043 [GRAPHIC] [TIFF OMITTED] T1258.044 [GRAPHIC] [TIFF OMITTED] T1258.045