[House Hearing, 112 Congress]
[From the U.S. Government Publishing Office]
SONY AND EPSILON: LESSONS FOR DATA SECURITY LEGISLATION
=======================================================================
HEARING
BEFORE THE
SUBCOMMITTEE ON COMMERCE, MANUFACTURING, AND TRADE
OF THE
COMMITTEE ON ENERGY AND COMMERCE
HOUSE OF REPRESENTATIVES
ONE HUNDRED TWELFTH CONGRESS
FIRST SESSION
__________
JUNE 2, 2011
__________
Serial No. 112-55
Printed for the use of the Committee on Energy and Commerce
energycommerce.house.gov
U.S. GOVERNMENT PRINTING OFFICE
71-258 WASHINGTON : 2012
-----------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Printing Office,
http://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center, U.S. Government Printing Office. Phone 202�09512�091800, or 866�09512�091800 (toll-free). E-mail, [email protected].
COMMITTEE ON ENERGY AND COMMERCE
FRED UPTON, Michigan HENRY A. WAXMAN, California
Chairman Ranking Member
JOE BARTON, Texas JOHN D. DINGELL, Michigan
Chairman Emeritus EDWARD J. MARKEY, Massachusetts
CLIFF STEARNS, Florida EDOLPHUS TOWNS, New York
ED WHITFIELD, Kentucky FRANK PALLONE, Jr., New Jersey
JOHN SHIMKUS, Illinois BOBBY L. RUSH, Illinois
JOSEPH R. PITTS, Pennsylvania ANNA G. ESHOO, California
MARY BONO MACK, California ELIOT L. ENGEL, New York
GREG WALDEN, Oregon GENE GREEN, Texas
LEE TERRY, Nebraska DIANA DeGETTE, Colorado
MIKE ROGERS, Michigan LOIS CAPPS, California
SUE WILKINS MYRICK, North Carolina MICHAEL F. DOYLE, Pennsylvania
Vice Chairman JANICE D. SCHAKOWSKY, Illinois
JOHN SULLIVAN, Oklahoma CHARLES A. GONZALEZ, Texas
TIM MURPHY, Pennsylvania JAY INSLEE, Washington
MICHAEL C. BURGESS, Texas TAMMY BALDWIN, Wisconsin
MARSHA BLACKBURN, Tennessee MIKE ROSS, Arkansas
BRIAN P. BILBRAY, California ANTHONY D. WEINER, New York
CHARLES F. BASS, New Hampshire JIM MATHESON, Utah
PHIL GINGREY, Georgia G.K. BUTTERFIELD, North Carolina
STEVE SCALISE, Louisiana JOHN BARROW, Georgia
ROBERT E. LATTA, Ohio DORIS O. MATSUI, California
CATHY McMORRIS RODGERS, Washington DONNA M. CHRISTENSEN, Virgin
GREGG HARPER, Mississippi Islands
LEONARD LANCE, New Jersey
BILL CASSIDY, Louisiana
BRETT GUTHRIE, Kentucky
PETE OLSON, Texas
DAVID B. McKINLEY, West Virginia
CORY GARDNER, Colorado
MIKE POMPEO, Kansas
ADAM KINZINGER, Illinois
H. MORGAN GRIFFITH, Virginia
(ii)
Subcommittee on Commerce, Manufacturing, and Trade
MARY BONO MACK, California
Chairman
MARSHA BLACKBURN, Tennessee G.K. BUTTERFIELD, North Carolina
Vice Chair Ranking Member
CLIFF STEARNS, Florida CHARLES A. GONZALEZ, Texas
CHARLES F. BASS, New Hampshire JIM MATHESON, Utah
GREGG HARPER, Mississippi JOHN D. DINGELL, Michigan
LEONARD LANCE, New Jersey EDOLPHUS TOWNS, New York
BILL CASSIDY, Louisiana BOBBY L. RUSH, Illinois
BRETT GUTHRIE, Kentucky JANICE D. SCHAKOWSKY, Illinois
PETE OLSON, Texas MIKE ROSS, Arkansas
DAVE B. McKINLEY, West Virginia HENRY A. WAXMAN, California, ex
MIKE POMPEO, Kansas officio
ADAM KINZINGER, Illinois
JOE BARTON, Texas
FRED UPTON, Michigan, ex officio
C O N T E N T S
----------
Page
Hon. Mary Bono Mack, a Representative in Congress from the State
of California, opening statement............................... 1
Prepared statement........................................... 3
Hon. G.K. Butterfield, a Representative in Congress from the
State of North Carolina, opening statement..................... 4
Hon. Marsha Blackburn, a Representative in Congress from the
State of Tennessee, opening statement.......................... 5
Prepared statement........................................... 6
Hon. Cliff Stearns, a Representative in Congress from the State
of Florida, opening statement.................................. 6
Hon. Pete Olson, a Representative in Congress from the State of
Texas, opening statement....................................... 7
Hon. Henry A. Waxman, a Representative in Congress from the State
of California, prepared statement.............................. 53
Hon. Edolphus Towns, a Representative in Congress from the State
of New York, opening statement................................. 53
Witnesses
Jeanette Fitzgerald, General Counsel, Epsilon Data Management,
LLC............................................................ 8
Prepared statement........................................... 10
Answers to submitted questions............................... 55
Tim Schaaff, President, Sony Network Entertainment International. 17
Prepared statement........................................... 19
Answers to submitted questions............................... 58
SONY AND EPSILON: LESSONS FOR DATA SECURITY LEGISLATION
----------
THURSDAY, JUNE 2, 2011
House of Representatives,
Subcommittee on Commerce, Manufacturing, and Trade,
Committee on Energy and Commerce,
Washington, DC.
The subcommittee met, pursuant to call, at 12:05 p.m., in
room 2123 of the Rayburn House Office Building, Hon. Mary Bono
Mack (chairwoman of the subcommittee) presiding.
Members present: Representatives Bono Mack, Blackburn,
Stearns, Harper, Lance, Guthrie, Olson, McKinley, Pompeo,
Kinzinger, and Butterfield.
Staff present: Charlotte Baker, Press Secretary; Allison
Busbee, Legislative Clerk; Paul Cancienne, Policy Coordinator,
Commerce, Manufacturing and Trade; Brian McCullough, Senior
Professional Staff Member, Commerce, Manufacturing and Trade;
Gib Mullan, Chief Counsel, Commerce, Manufacturing and Trade;
Shannon Weinberg, Counsel, Commerce, Manufacturing and Trade;
Michelle Ash, Democratic Chief Counsel; Felipe Mendoza,
Democratic Counsel; and Will Wallace, Democratic Policy
Analyst.
OPENING STATEMENT OF HON. MARY BONO MACK, A REPRESENTATIVE IN
CONGRESS FROM THE STATE OF CALIFORNIA
Mrs. Bono Mack. Good afternoon. If the room would please
come to order. Guests, kindly take your seats. Thank you. So
good afternoon.
In today's online world, your name, birth date, and
mother's maiden name are often used to verify your identity.
But in the wake of massive data breaches at Sony and Epsilon,
we are now painfully more aware that this very same information
can be used just as easily to falsify your identity. The time
has come for Congress to take action. And the chair now
recognizes herself for an opening statement.
With nearly 1.5 billion credit cards now in use in the
United States and more and more Americans banking and shopping
online, cyber thieves have a treasure chest of opportunities
today to get rich quick. Why crack a vault when you can hack a
network? The Federal Trade Commission estimates that nearly 9
million Americans fall victim to identity theft every year,
costing consumers and businesses billions of dollars annually,
and those numbers are growing steadily and alarmingly.
In recent years, sophisticated and carefully orchestrated
cyber attacks designed to obtain personal information about
consumers, especially when it comes to their credit cards, have
become one of the fastest-growing criminal enterprises here in
the U.S., as well as across the world. Just last month, the
Justice Department shut down a cyber crime ring believed to be
based in Russia, which was responsible for the online theft of
up to $100 million.
The boldness of these attacks and the threat they present
to unsuspecting Americans was underscored recently by massive
data breaches at Epsilon and Sony. In some ways, Sony has
become Ground Zero in the war to protect consumers' online
information. The initial attacks on Sony's PlayStation network
and online entertainment services, which put some 100 million
customer accounts at risk, were quickly followed by still more
attacks at other Sony divisions and subsidiaries. Since then,
the company, to its credit, has taken some very aggressive
steps to prevent future cyber attacks such as installing new
firewalls, enhancing data protection, and enhancing their
encryption capabilities, expanding automated software
monitoring, and hiring a new chief information security
officer.
These are all important new safeguards, but with millions
of American consumers in harm's way, why weren't these safety
protocols already in place? For me, one of the most troubling
issues is how long it took Sony to notify consumers and the way
in which the company did it--by posting an announcement on its
blog. In effect, Sony put the burden on consumers to search for
information instead of providing it to them directly. That
cannot happen again.
While I remain critical of Sony's initial handling of these
data breaches, as well as its decision not to testify at our
last hearing--and that goes for Epsilon as well--it is clear
that since then, the company has been systematically targeted
by hackers and cyber thieves who are constantly probing Sony's
security systems for weaknesses and opportunities to infiltrate
its networks.
So today, I am not here to point fingers. Instead, let us
point the way, a better, smarter way to protect American
consumers online. As I have said, you shouldn't have to cross
your fingers and whisper a prayer whenever you type in a credit
card number on your computer and hit ``Enter.'' E-commerce is a
vital and growing part of our economy. We should take steps to
embrace and protect it and that starts with robust cyber
security.
As chairman of the subcommittee, I believe the lessons
learned from the Sony and Epsilon experiences can be
instructive. How did these breaches occur? What steps are being
taken to prevent future breaches? What is being done to
mitigate the effects of these breaches? And what policies
should be in place to better protect American consumers in the
future. Most importantly, consumers have a right to know when
their personal information has been compromised, and companies
have an overriding responsibility to promptly alert them. These
recent data breaches only reinforce my long-held belief that
much more needs to be done to protect sensitive consumer
information.
Americans need additional safeguards to prevent identity
theft, and I will soon introduce legislation designed to
accomplish this goal. My legislation will be crafted around 3
guiding principles. First, companies and entities that hold
personal information must establish and maintain security
policies to prevent the unauthorized acquisition of that data.
Second, information considered especially sensitive such as
credit card numbers should have even more robust security
safeguards in place. And finally, consumers should be promptly
informed when their personal information has been jeopardized.
The time has come for Congress to take decisive action. We
need a uniformed national standard for data security and data
breach notification and we need it now. While I remain hopeful
that law enforcement officials will quickly determine the
extent of these latest cyber attacks, they serve as a reminder
that all companies have a responsibility to protect personal
information and to promptly notify consumers when that
information has been put at risk. And we have a responsibility
as lawmakers to make certain that this happens.
[The prepared statement of Mrs. Bono Mack follows:]
Prepared Statement of Hon. Mary Bono Mack
With nearly 1.5 billion credit cards now in use in the
United States--and more and more Americans banking and shopping
online--cyber thieves have a treasure chest of opportunities
today to ``get rich quick.'' Why crack a vault when you can
hack a network?
The Federal Trade Commission estimates that nearly nine
million Americans fall victim to identity theft every year,
costing consumers and businesses billions of dollars annually--
and those numbers are growing steadily and alarmingly.
In recent years, sophisticated and carefully orchestrated
cyber attacks--designed to obtain personal information about
consumers, especially when it comes to their credit cards--have
become one of the fastest growing criminal enterprises here in
the United States and across the world.
Just last month, the Justice Department shut down a cyber
crime ring--believed to be based in Russia -which was
responsible for the online theft of up to $100 million. The
boldness of these attacks and the threat they present to
unsuspecting Americans was underscored recently by massive data
breaches at Epsilon and Sony.
In some ways, Sony has become ground zero in the war to
protect consumers' online information. The initial attacks on
Sony's PlayStation Network and online entertainment services--
which put some 100 million customer accounts at risk--were
quickly followed by still more attacks at other Sony divisions
and subsidiaries.
Since then, the company--to its credit--has taken some very
aggressive steps to prevent future cyber attacks, such as
installing new firewalls.enhancing data protection and
encryption capabilities. expanding automated software
monitoring.and hiring a new Chief Information Security Officer.
These are all important new safeguards, but with millions
of American consumers in harm's way, why weren't these safety
protocols already in place?
For me, one of the most troubling issues is how long it
took Sony to notify consumers.and the way in which the company
did it--by posting an announcement on its blog. In effect, Sony
put the burden on consumers to search for information instead
of providing it to them directly. That cannot happen again.
While I remain critical of Sony's initial handling of these
data breaches--as well as its decision not to testify at our
last hearing.and that goes for Epsilon as well--it's clear that
since then the company has been systematically targeted by
hackers and cyber thieves who are constantlyprobing Sony's
security systems for weaknesses and opportunities to infiltrate
its networks.
So today, let's not point fingers. Instead, let's point the
way--a better, smarter way--to protect American consumers
online. As I have said, you shouldn't have to cross your
fingers and whisper a prayer when you type in a credit card
number on your computer and hit ``enter.'' E-commerce is a
vital and growing part of our economy. We should take steps to
embrace and protect it--and that starts with robust cyber
security.
As Chairman of this Subcommittee, I believe the lessons
learned from the Sony and Epsilon experiences can be
instructive. How did these breaches occur? What steps are being
taken to prevent future breaches? What's being done to mitigate
the effects of these breaches? And what policies should be in
place to better protect American consumers in the future?
Most importantly, consumers have a right to know when their
personal information has been compromised, and companies have
an overriding responsibility to promptly alert them.
These recent data breaches only reinforce my long-held
belief that much more needs to be done to protect sensitive
consumer information. Americans need additional safeguards to
prevent identity theft, and I will soon introduce legislation
designed to accomplish this goal. My legislation will be
crafted around three guiding principles:
First, companies and entities that hold personal
information must establish and maintain security policies to
prevent the unauthorized acquisition of that data;
Second, information considered especially sensitive, such
as credit card numbers, should have even more robust security
safeguards;
And finally, consumers should be promptly informed when
their personal information has been jeopardized.
The time has come for Congress to take decisive action. We
need a uniform national standard for data security and data
breach notification, and we need it now.
While I remain hopeful that law enforcement officials will
quickly determine the extent of these latest cyber attacks,
they serves as a reminder that all companies have a
responsibility to protect personal information and to promptly
notify consumers when that information has been put at risk.
And we have a responsibility, as lawmakers, to make certain
this happens.
Mrs. Bono Mack. And now I would like to recognize the vice
chairman of the--oh, I am sorry--the ranking member Mr.
Butterfield for his 5-minute opening statement.
OPENING STATEMENT OF HON. G.K. BUTTERFIELD, A REPRESENTATIVE IN
CONGRESS FROM THE STATE OF NORTH CAROLINA
Mr. Butterfield. Let me thank you, Chairman Bono Mack, for
your indulgence. I have been in my office with 28 constituents,
one of whom was a World War II veteran and several Vietnam
veterans and they wanted to take pictures and you know that
drill. And so I had to accommodate them as best I could. But we
are here and thank you very much for convening this hearing
today. And I certainly thank the two witnesses for your
presence.
Madam Chairman, thank you for holding this hearing on data
security and the recent breaches that we have seen at Sony and
Epsilon. Last month, well over 100 million consumer records
have been compromised as a result of those breaches, including
full names, email and mailing addresses, the passwords, and
maybe even credit card numbers. Those two major breaches
illustrate that no company is safe from attack and that we must
always operate at a heightened level of security and vigilance.
No company wants its data compromised, and Sony and Epsilon are
certainly no exception.
Sony was victim to hackers who stole nearly 100 million
consumer records, and it took engineers several days to realize
that there was an intrusion. During that time, hackers had full
access to Sony's servers. The breach that occurred at Epsilon
was very large and involved the names and email addresses of
about 50 of Epsilon's clients with conservative estimates of 60
million records stolen. Luckily, no critically sensitive
information was stolen, but it easily could have.
It is important that businesses do all they can do to
protect consumers from having their information fall into the
wrong hands. For many Americans, shopping, paying bills, and
refilling prescriptions and communicating with friends and
family and even playing games are all done online. As people
share more and more information online, the potential for
personally identifiable information to be compromised increases
exponentially. Names, physical addresses, dates of birth,
Social Security numbers, and credit card numbers are just a few
of the types of information that hackers are able to access and
exploit.
While 46 States have laws requiring consumer notification
when a breach occurs, there is currently no federal standard to
address this. Moreover, there is no federal law requiring
companies that hold PII to have reasonable safeguards in place
to protect this information. Without a federal standard, I am
concerned that American consumers remain largely exposed
online. And during the 109th Congress and subsequent
Congresses, members of this committee worked in a bipartisan
fashion to develop the Data, Accountability, and Trust Act to
address the issue of data security.
The DATA bill of the 111th Congress by my friend and former
chairman of the subcommittee Mr. Rush from Illinois would have
required entities holding data containing personal information
to adopt reasonable and appropriate security measures to
safeguard it and, in the event of a breach, to notify affected
individuals. The DATA bill passed the House and the 111th
Congress but our friends in the Senate did not act. The DATA
bill is a good foundation to improve the security of e-
commerce, something that is good for consumers and good for
business. It would give American consumers more peace of mind
about online transactions and make them more likely to continue
and expand their use of online services.
And so, Madam Chairman, we have learned a lot from the
breaches at Sony and Epsilon and I expect to learn more today
from our two witnesses. I want you to know that I stand ready
to work with you and our colleagues to pass a strong bipartisan
data security bill like the DATA bill that we saw in the last
session. I thank today's witnesses for their testimony and look
forward to each of you. Thank you very much. I yield back.
Mrs. Bono Mack. I thank the gentleman. Chairman Upton
yielded his 5 minutes for an opening statement to me in
accordance with committee rules. And as his designee, I now
recognize Mrs. Blackburn for 2 minutes.
OPENING STATEMENT OF HON. MARSHA BLACKBURN, A REPRESENTATIVE IN
CONGRESS FROM THE STATE OF TENNESSEE
Mrs. Blackburn. Thank you, Madam Chairman. I will submit my
full statement.
A couple of comments. I think that the Sony and the Epsilon
breaches raise a lot of questions with our constituents. What
they are asking us is, number one, how do you minimize identity
theft? Number two, they want proper notifications from the
venders that they are doing business with. And number three,
they want to see better coordination with law enforcement. They
feel as if this is missing. And I know that as we address this,
what we are going to have to look at is better government
coordination, incentives for industry cooperation in this
issue, stricter penalty deterrents against hackers, and a
flexible framework for risk assessment and breach alerts.
As we do this, I hope that we will continue to look at the
threat of digital protection of intellectual property. The two
are interrelated and they both deserve attention. And I have to
tell you, with the new music cloud services from Apple, Google,
and Amazon, my concern is there that we hold everybody
accountable and secure the integrity of that system.
I do want to highlight that on the issue of the illegal
downloads and file sharing, my home State of Tennessee has just
passed and signed into law a bill that puts in place penalties
for this. They have made this a crime in our State, and I am
glad they did it because losing content to the rogue Web sites
not only becomes an issue for the entertainment industry, but
it exposes consumers to viruses, dangerous products, and
increases the likelihood of data theft.
So I thank you all for being here and I yield back my time.
[The prepared statement of Mrs. Blackburn follows:]
Prepared Statement of Hon. Marsha Blackburn
I thank the Chair for holding this hearing on securing our
online data and privacy.
This is a timely subject of importance not only for our
economy, but also for our virtual and physical safety.
Last year Tennessee ranked 18th for fraud, and 19th for
identity theft complaints nationwide. But the disturbing
proliferation of data theft knows no boundaries in the virtual
marketplace. And the Epsilon and the two Sony breaches raise
the stakes of our policy response.
Just this week, after problems with the Android app for
Skype were apparently fixed, consumers reported receiving robo-
calls soliciting their credit card information.
Representatives from the industry have an obligation to
explain to the American people exactly how our data is being
hijacked, and what exactly they plan to do about it.
In examining the lifecycle of these data breaches, an
obvious and disturbing pattern can been seen in lagging
consumer notifications. It's a trend I fear perpetuates
industry's ``culture of damage control''--a business strategy
that accelerates identity theft and virtual phishing schemes.
We need a framework that gives consumers at least a
fighting chance to protect the ``Virtual You''--one's online
identity--not just the false sense of security they have been
fed.
I look forward to the witnesses' testimony, and to an open
discussion about how we can secure our data and privacy in the
virtual realm. I yield my time.
Mrs. Bono Mack. I thank the gentlelady. And the chair
recognizes Mr. Stearns for 2 minutes.
OPENING STATEMENT OF HON. CLIFF STEARNS, A REPRESENTATIVE IN
CONGRESS FROM THE STATE OF FLORIDA
Mr. Stearns. Thank you, Madam Chair.
I think it is mentioned by the chairwoman, the FTC recently
reported 9 million Americans have fallen victim to identity
theft. And I think it is sort of puzzling, a corporation as
strong and comprehensive as Sony, they would, you would think,
have the ability to certify that their data is secure. As
recently mentioned, over 45 States have adopted a data breach
notification requirement, but, of course, there is no law on a
federal basis. So it is good that you folks are here so we can
ask you some questions about, you know, perhaps if you know who
the people were, what was the requirements that you set up in a
corporation as extensive as Sony, and do you think there is a
criminal case here that should be prosecuted? So there are lots
of questions so I appreciate your coming here.
As many of you know, I had a bill when I was chairman of
the subcommittee that we got out of the House. Unfortunately,
it did not get through the Senate. And I have introduced it
with Mr. Matheson again, which simply required the Federal
Trade Commission to develop these regulations requiring persons
that own or possess electronic data to establish necessary
security policies and procedures, as well as notification
mechanism.
So both of our witnesses today certainly have within their
power to provide the software, the data security provisions
that are necessary. I think it must be puzzling to them as well
as to us why this happened to them considering how
sophisticated both of them are. I have had the opportunity to
talk to them in my office, so it is very appreciative that you
took the time to come here and talk to us and we look forward
to your testimony. Thank you.
Mrs. Bono Mack. I thank the gentleman. And the chair
recognizes Mr. Olson for 1 minute.
OPENING STATEMENT OF HON. PETE OLSON, A REPRESENTATIVE IN
CONGRESS FROM THE STATE OF TEXAS
Mr. Olson. I thank the chairwoman for her leadership in
calling this timely hearing.
As we all learned this morning, overseas hackers from China
hacked into Google email accounts. Like Sony, Epsilon, and now
Google, my home State of Texas has experienced a massive data
breach in April of this year when almost 3.5 million Texans had
their personal information, their names, mailing addresses, and
Social Security numbers compromised from the office of the
Texas Comptroller of Public Accounts, and it was posted to a
public server.
There is a clear need for government, businesses, and
citizens to work together to protect citizens' personal
information. I look forward to working with the chairwoman on
comprehensive data security legislation.
I thank the witnesses for coming. I yield back the balance
of my time.
Mrs. Bono Mack. I thank the gentleman and turn our
attention to the panel. We have a single panel of very
distinguished witnesses joining us today. Welcome. Each of you
have a prepared statement that will be placed into the record,
but if you could summarize your statements in your remarks, we
would appreciate it.
On our panel, we have Jeanette Fitzgerald, General Counsel
for Epsilon Data Management, LLC. Also testifying is Tim
Schaaff, President, Sony Network Entertainment International.
Good afternoon, and thank you both very much for coming. You
will each be recognized, as I said, for 5 minutes. To help you
keep track of time, there is a clever little device in front of
you: red, yellow, green. And when the light turns yellow,
please summarize as you would a traffic light.
So Ms. Fitzgerald, you are recognized for 5 minutes. And
please remember the microphone and pull it close to your mouth
if you would.
STATEMENTS OF JEANETTE FITZGERALD, GENERAL COUNSEL, EPSILON
DATA MANAGEMENT, LLC; AND TIM SCHAAFF, PRESIDENT, SONY NETWORK
ENTERTAINMENT INTERNATIONAL
STATEMENT OF JEANETTE FITZGERALD
Ms. Fitzgerald. Ranking Member Butterfield, and
distinguished members of----
Mrs. Bono Mack. Sorry. Excuse me. Would you pull the
microphone up?
Ms. Fitzgerald. Closer? Better?
Mrs. Bono Mack. Thank you.
Ms. Fitzgerald. Good morning. Chairman Bono Mack, Ranking
Member Butterfield, and distinguished members of the
subcommittee, my name is Jeanette Fitzgerald, and I am the
general counsel for Epsilon Data Management. Thank you for
inviting me to present Epsilon's testimony on data security. I
hope that I can provide information today in going forward that
will act as a helpful resource as you consider data security
legislation that is in the best interest of both consumers and
business. My full written testimony has been submitted for the
record. I will summarize it here and hope to leave you with
three main points.
First, who is Epsilon and how do we provide important data
management services for our clients? Second, how the attack of
March 30 occurred and what we are doing to apprehend the
perpetrators and improve our own data security. And finally,
why we think national data breach notification legislation is
important.
Epsilon is the leading provider of permission-based email
marketing services. Our clients, some of the world's largest
and best-known consumer and financial services brands count on
us to send their email messages to their customers, the
individual consumer. And as we all know, major brands use email
messages to provide consumers with timely information about new
products and sales and events, among other things. Epsilon
ensures that these email messages comply with applicable legal
requirements, including CAN-SPAM Act.
To earn and keep our clients' trust, Epsilon became the
first in the industry in 2006 to certify that its information
security program complied with the standards issued by the
International Association of Standardization, known as ISO.
ISO, a highly regarded organization, is recognized by over 160
countries around the world, including the United States, as
identifying best practices for information security management.
The standards are demanding, requiring over a year to earn
initial certification. We are proud that Epsilon leads the
industry and that we have achieved yearly recertification,
which requires proof that the company is improving its security
program each year.
Notwithstanding our internal security procedures and our
compliance with these rigorous data security standards, as you
know, Epsilon was the victim of a criminal hacking incident at
the end of March. Since our information security program was
designed to identify and respond to attacks and threats, we
were quickly able to detect the unauthorized download activity,
which triggered Epsilon's security incident response program.
Our investigation, both internal and with an independent
third party, is coordinated closely with the Secret Service and
is still ongoing. But we can say that the initial investigation
confirms that only email addresses and, in some cases, first
and last names were affected by this attack. Again, only email
addresses and, in some cases, first and last names were
affected. The details of what happened after the attack are in
my written statement that has been submitted for the record. We
are greatly troubled that this criminal incident has called
into question our commitment to data security. But I want to
leave you with four main points about what happened and how
Epsilon responded.
First, our internal response to the criminal attack was
immediate. We isolated computers and changed employee access
rights. Second, our forensics investigation began within hours.
We also reached out to law enforcement just as quickly. Third,
notification to our clients also occurred on the same day, and
we released a public statement and posted additional public
information on our Web site shortly thereafter. And finally,
now and going forward, we reiterate our commitment to working
with the Secret Service, apprehending the hackers, and
improving our own security.
Companies like Epsilon are on the frontlines in the fight
against data theft. We also believe Congress has an important
role to play in protecting consumers. To that end, Epsilon
fully supports legislation that would create a uniform standard
for data breach notification. The current patchwork of over 45
individual State breach notification laws is confusing. A
uniform national law, on the other hand, would provide
predictability and equitable protection for consumers,
regardless of their State of residence.
Chairman Bono Mack, Ranking Member Butterfield, and members
of the subcommittee, we look forward to working with you as the
legislative process moves forward. I sincerely hope that the
information I am able to provide at this hearing is helpful to
the subcommittee as it considers this critical issue. Thank
you.
[The prepared statement of Ms. Fitzgerald follows:]
[GRAPHIC] [TIFF OMITTED] T1258.001
[GRAPHIC] [TIFF OMITTED] T1258.002
[GRAPHIC] [TIFF OMITTED] T1258.003
[GRAPHIC] [TIFF OMITTED] T1258.004
[GRAPHIC] [TIFF OMITTED] T1258.005
[GRAPHIC] [TIFF OMITTED] T1258.006
[GRAPHIC] [TIFF OMITTED] T1258.007
Mrs. Bono Mack. Thank you, Ms. Fitzgerald. And Mr. Schaaff,
you are recognized for 5 minutes.
STATEMENT OF TIM SCHAAFF
Mr. Schaaff. Thank you. Chairman Bono Mack, Ranking Member
Butterfield, and other distinguished members of the
subcommittee, thank you for providing Sony with this
opportunity to testify on cyber crime and data security.
My name is Tim Schaaff and I am president of Sony Network
Entertainment International, a subsidiary of Sony Corporation
based in California, where we employ approximately 700 people
in five offices around the State. I am chiefly responsible for
the business and technical aspects of Sony's PlayStation
Network and Curiosity, an online service that allows consumers
to access movies, television shows, music and video games. Sony
Network Entertainment, Sony Online Entertainment--another
subsidiary of Sony's--and millions of our customers were
recently the victims of an increasingly common digital age
crime--a cyber attack. Indeed, we have been reminded in recent
days of the fact that no one is immune from the threat of cyber
attack. Businesses, government entities, public institutions,
and individuals can all become victims.
The attack on us, we believe, is unprecedented in its size
and scope. Initially anonymous, the underground group
associated with last year's WikiLeaks-related cyber attacks
openly called for and carried out massive denial-of-service
attacks against numerous Sony internet sites in retaliation for
Sony bringing action in Federal Court to protect its
intellectual property. During or shortly after those attacks,
one or more highly skilled hackers infiltrated the servers of
the PlayStation Network and Sony Online Entertainment.
Sony Network Entertainment and Sony Online Entertainment
have always made a concerted and substantial effort to maintain
and improve their data security systems. We hired a well
respected and experienced cyber security firm to enhance our
defenses against the denial-of-service attacks threatened by
anonymous, but unfortunately, no entity can foresee every
potential cyber security threat.
We have detailed for the subcommittee in our written
testimony the timeline from when we first discovered the
breach. But to briefly summarize, the first indication of a
breach occurred on Tuesday, April 19 of this year. On
Wednesday, April 20, we mobilized an investigation and
immediately shut down all of the PlayStation Network services
in order to prevent additional unauthorized activity. After two
highly respected technical forensic firms were retained to
assist in a time-consuming and complicated investigation, on
Friday, April 22, we notified PlayStation Network customers via
post on the PlayStation blog that an intrusion had occurred.
After a third forensic firm was retained, on Monday, April 25,
we were able to confirm the scope of the personal data that we
believed had been accessed. And although there was no evidence
credit card information had been accessed, we could not rule
out the possibility.
Therefore, the very next day, Tuesday, April 26, we issued
a public notice that we believed the personal information of
our customers had been taken. And that while there was no
evidence that credit card data was taken, since we could not
rule out the possibility, we had to acknowledge that it was
possible. We also posted this on our blog and began to email
each of our accountholders directly. We did not merely make
statements on our blog.
On Sunday, May 1, Sony Online Entertainment, a multi-player
online videogame network, also discovered that data may have
been taken. On Monday, May 2, just one day later, Sony Online
Entertainment shut down this service and notified customers
directly that their personal information may have also been
compromised. Throughout this time, we felt a keen sense of
responsibility to our customers. We shut down the networks to
protect against further unauthorized activity. We notified our
customers promptly when we had specific, accurate, and useful
information. We thanked our customers for their patience and
loyalty and addressed their concerns arising from this breach
with identify theft protection programs for the U.S. and other
customers around the world where available, as well as a
welcome-back package of extended and free subscriptions, games,
and other services. And we worked to restore our networks to
stronger security to protect our customer's interests.
Let me address the specific issues you are considering
today: notification of consumers when data breaches occur. Laws
and common sense provide for companies to investigate breaches,
gather the facts, and then report data losses publicly. If you
reverse that order issuing vague or speculative statements
before you have specific and reliable information, you either
send false alarms or so many alarms that these warnings may be
ignored. We therefore support federal data breach legislation
and look forward to working with the subcommittee on the
particulars of the bill.
One final point--as frustrating as the loss of networks for
playing games was for our customers, the consequences of cyber
attacks against financial or defense institutions can be
devastating for our economy and security. Consider the fact
that defense contractor Lockheed Martin and the Oakridge
National Laboratory, which helps the Department of Energy
secure the Nation's electric grid, were also cyber attacked
within the past 2 months.
By working together to enact meaningful cyber security
legislation, we can limit the threat posed to us all. We look
forward to this initiative to make sure that consumers are
empowered with the information and tools they need to protect
themselves from cyber criminals. Thank you very much.
[The prepared statement of Mr. Schaaff follows:]
[GRAPHIC] [TIFF OMITTED] T1258.008
[GRAPHIC] [TIFF OMITTED] T1258.009
[GRAPHIC] [TIFF OMITTED] T1258.010
[GRAPHIC] [TIFF OMITTED] T1258.011
[GRAPHIC] [TIFF OMITTED] T1258.012
[GRAPHIC] [TIFF OMITTED] T1258.013
[GRAPHIC] [TIFF OMITTED] T1258.014
[GRAPHIC] [TIFF OMITTED] T1258.015
[GRAPHIC] [TIFF OMITTED] T1258.016
[GRAPHIC] [TIFF OMITTED] T1258.017
[GRAPHIC] [TIFF OMITTED] T1258.018
[GRAPHIC] [TIFF OMITTED] T1258.019
[GRAPHIC] [TIFF OMITTED] T1258.020
[GRAPHIC] [TIFF OMITTED] T1258.021
[GRAPHIC] [TIFF OMITTED] T1258.022
[GRAPHIC] [TIFF OMITTED] T1258.023
[GRAPHIC] [TIFF OMITTED] T1258.024
[GRAPHIC] [TIFF OMITTED] T1258.025
[GRAPHIC] [TIFF OMITTED] T1258.026
[GRAPHIC] [TIFF OMITTED] T1258.027
[GRAPHIC] [TIFF OMITTED] T1258.028
Mrs. Bono Mack. Thank you, Mr. Schaaff. And I would like to
thank both of you for your opening statements, as well as for
your unique insight into these disturbing data breaches. I am
confident that the lessons learned with assist us in our
efforts to develop new online safeguards for American
consumers.
And I am going to recognize myself for the first 5 minutes
of questioning.
And, Mr. Schaaff, given the extreme makeover of Sony's
online security protocols, it does beg the question why weren't
many of these safeguards, such as having a chief security
information officer in place before the April data breaches?
Mr. Schaaff. We believe that the security that we had in
place was very, very strong and we felt that we were in good
shape. However, as the attacks indicated, the intensity and
sophistication of the hack was such that even despite those
best measures that we had taken, it was not sufficient. And as
we recognize moving forward that the scrutiny that we are
likely to be under from the hackers will continue, we have made
additional commitments to enhance the security of our networks.
In addition, we had been working for some months now, more
than 18 months to expand both the capacity and security of our
network. We are a new business but we are a very fast-growing
business.
Mrs. Bono Mack. All right. Let me jump ahead.
Mr. Schaaff. Sure.
Mrs. Bono Mack. You indicated with Sony in the May 3 letter
that you contacted the FBI on April 22, which was 2 days after
it determined the breach had in fact occurred. Why did Sony
wait 2 days to notify law enforcement?
Mr. Schaaff. My understanding is that we notified them as
soon as we had something clear that we could report that
indicated some sign of external intrusion that would be
unauthorized or illegal.
Mrs. Bono Mack. Your testimony indicates four servers were
taken offline on April 19 before you pulled the plug on all 130
servers. Can you tell us what information was different that
was stored on those initial four servers?
Mr. Schaaff. Well, these were part of a larger network of
machines and we believed this was just the first entry point
that the hacker may have used to get into the network, and upon
discovering them, we immediately shut them down. But there were
other servers that were also attacked by the hackers as well.
Mrs. Bono Mack. Some media reports indicate Sony's servers
may not have had up-to-date patches or firewalls prior to the
attack. Is that true?
Mr. Schaaff. That is actually patently false. The Apache
servers were fully up to date, fully patched. And in fact, we
had had several layers of firewalls in place, also contrary to
so many of the things you may have read on the internet. As you
know, the internet is not always a reliable source of factual
information.
Mrs. Bono Mack. And you state that you believe the cyber
attack on Sony was unprecedented in both size and scope. Can
you explain why you believe it is unprecedented?
Mr. Schaaff. Well, we believe that the sophistication of
the attack, the collection of activities that were undertaken,
the period of time in which the hackers were carefully
exploring the network, and then ultimately the scope of the
service that was breached makes it quite a remarkable attack.
And despite the deep security measures that we had taken, it
was nevertheless insufficient to guard against these attacks.
Mrs. Bono Mack. Was the consumer data you held encrypted?
And why or why not?
Mr. Schaaff. So, of course, the credit card information
that was held was encrypted. Password login data was protected
using cryptographic hash functions. And these practices are in
line with industry practice.
Mrs. Bono Mack. Thank you. Ms. Fitzgerald, would greater
security requirements have prevented your breach? And if not,
what added protection are your new security measures providing?
Ms. Fitzgerald. At the time, we had very extensive security
as I noted in my opening statement and the written statement I
provided. We have continued through the investigation to
evaluate additional things that may be done to strengthen both
our networks and any of the access points. We have also decided
to hire some outside experts to even evaluate the network
further and see if there is anything else in different parts of
our network that need to be adjusted.
Mrs. Bono Mack. Coming as a consumer who received multiple
notices about your breach, there are also indications that
consumers received notice of the breach from your business
customers for which, in some cases, they hadn't had a purchase
or customer relationship for 4 or 5 years. Do you ever purge
your data and why do you hold onto information for as long as
you do?
Ms. Fitzgerald. So let me step back a second to remind
everyone how Epsilon plays in this. Epsilon is a service
provider to the well-known names that you may have received
notifications from, and they have the relationship with the
consumer. What data we hold is determined by the client, and
the client then tells us what to hold and what we then do with
it in terms of sending out notices or any sort of marketing
messages is entirely up to the client. It is not----
Mrs. Bono Mack. Do you advise them on when it might be a
good time to purge data?
Ms. Fitzgerald. It depends on what they want to do with the
data. And there is also opt-out data that would have been held
because in order to comply with CAN-SPAM, you have to maintain
records of who has opted out. So if, 2 years ago, you opted out
and you haven't had any activity, that list would still be
there because you have to comply with CAN-SPAM. So we have to
be able to duplicate or de-duplicate and take those names out
any time that we do a mailing.
Mrs. Bono Mack. OK. Thank you. My time has expired. I will
recognize the ranking member, Mr. Butterfield, for his 5
minutes.
Mr. Butterfield. Thank you, Madam Chairman.
Mr. Schaaff, let me start with you and if I have any time
remaining, I will go over to Ms. Fitzgerald.
Mr. Schaaff, I understand that your internal investigation
has not turned up any evidence suggesting that credit card data
was taken from the network, but to me, that doesn't necessarily
mean that the data was not taken, just that you haven't turned
up any digital fingerprints that would allow you to know with
certainty that it was taken. And I think you see what I am
saying there. Help me with that. How certain are you that the
data was not taken in the attack?
Mr. Schaaff. Well, as you know, we have been engulfed in an
intensive investigation over the past 6 weeks since the breach
occurred, and we have looked deeply at the logs related to the
databases. And in those logs we have found no clear evidence
that there was any access made to the credit card information,
and we found plenty of evidence that suggests that that data
was not accessed. That is the basis for today's statements that
we do not believe the credit card information was compromised.
Mr. Butterfield. Now, in your testimony, you mentioned that
the attack took place on April 19, that the PlayStations were
shut down on April 20, and that you did something on April 22.
Help me with that if you could shed some light on what you did
on April 22.
Mr. Schaaff. On April 22, this was the point at which we
first notified consumers that there had been an intrusion. We
were trying to understand what had happened to the network, and
we were actively beginning the investigation of that breach.
And at the point that we were able to determine that there had
been an intrusion, we immediately notified consumers so that
they would be aware of what had occurred, even though at that
time we were not yet able to confirm precisely which data may
have been compromised.
Mr. Butterfield. So is it your testimony that on April 22,
you began the process of notifying the consumers?
Mr. Schaaff. Well, we notified them on the PlayStation blog
of the intrusion, but then on April 26, we followed that up
with an additional notification regarding more specifics
related to the actual data that may have been breached and we
began immediately notifying consumers starting from that date
via email of the breach as well.
Mr. Butterfield. But the April 22 announcement was simply
on the internet? It was on the blog?
Mr. Schaaff. That was posted on the PlayStation blog. The
PlayStation blog is one of the most active and popular blogs on
the web. It is currently ranked about number 20, just behind
the White House blog. So it is a very, very expected place for
our consumers to look for information.
Mr. Butterfield. Do you have any way of knowing how many
consumers actually read the statement?
Mr. Schaaff. I don't know the answer to that off the top of
my head. We can investigate and----
Mr. Butterfield. But 7 days after the breach was when
official notification was issued?
Mr. Schaaff. We were not able to determine until the day
that we had notified consumers. We were searching for evidence
that would allow us to confirm the status of the credit card
information and not being able----
Mr. Butterfield. Do you think 7 days was a reasonable time?
Mr. Schaaff. Actually, what has been interesting from my
perspective is that we have continued this investigation in the
successive weeks, and as you hear me speaking today, some of
our conclusions with respect to credit card information have
changed somewhat from our original statements. And that change
has occurred because of the continuing investigation. In the
abundance of caution, we acknowledge the possibility that
credit cards would have been taken in our announcements on the
26th. But as you can see, the situation changes as the
investigation proceeds, and we felt it would have been
irresponsible if we had notified consumers earlier with partial
or incomplete information.
Mr. Butterfield. But you have, based on your experience
here, made some corrections and some adjustments in the credit
card data that you collect?
Mr. Schaaff. We have been working to increase the security
of the entire network and additional controls related to credit
card data have also been put in place, yes.
Mr. Butterfield. And how do these measures compare to those
for the other types of personal information that you have, the
credit card data versus the other information?
Mr. Schaaff. Yes, excuse me. The credit card information is
the most highly protected and guarded information. It is all
encrypted and so even if it is taken, it is not likely to be
useful to the hacker.
Mr. Butterfield. Is it true that user passwords were hashed
and not encrypted? Is that true?
Mr. Schaaff. That is true. It is true that they were hashed
using cryptographic hash functions. That is an industry
practice which is very standard. It is not an unusual practice
at all.
Mr. Butterfield. Industry standard. Well, why don't you use
any type of encryption in your procedures?
Mr. Schaaff. It is a form of protection that is very, very
closely related to encryption, and I am not an expert in
cryptography so I am not sure that I could answer the question
in a more detailed way.
Mr. Butterfield. What is irreversible encryption?
Mr. Schaaff. Irreversible encryption is my understanding of
the definition of a cryptographic hash. I am sorry. This is--
wait. OK.
Mr. Butterfield. Ms. Fitzgerald, your testimony states that
Epsilon's internal investigation revealed that the login
credentials of the employee who reported unusual and suspicious
download activity had been compromised. And in layman's terms,
I suppose, I assume this means that the employees credentials
had been hijacked and been used by a hacker to carry out the
intrusion into your network and to steal consumers' email
addresses. Can you please tell me a little bit more about what
that means, that the employee's login credentials were
compromised?
Ms. Fitzgerald. Well, what we had understood during the
investigation is that the credentials were somehow used based
on the logs, though not necessarily by that person, to actually
download that information. That is why we then immediately--our
system kicked into place and immediately we saw that there was
improper downloads and so our security system kicked in and
then we knew that there was a problem and we shut their access
down and anybody else who had credentials at that level and
took that computer off the system.
Mr. Butterfield. Thank you. My time has expired.
Mrs. Bono Mack. I thank the gentleman and recognize the
gentleman from Florida, Mr. Stearns, for 5 minutes.
Mr. Stearns. Thank you, Madam Chair. Let me be sure I
understand, Ms. Fitzgerald, exactly what was taken. It is our
understanding emails were taken and the name of the people
whose email was taken. Is that correct?
Ms. Fitzgerald. I am sorry. Was that to me?
Mr. Stearns. Yes.
Ms. Fitzgerald. I am sorry.
Mr. Stearns. What was actually taken, as I understand it,
is emails----
Ms. Fitzgerald. It was email addresses, and in some cases,
first and last names.
Mr. Stearns. First and last names. OK. And that was all?
Ms. Fitzgerald. Yes.
Mr. Stearns. And you said that you notified all 50 to 75
customers. Is that correct?
Ms. Fitzgerald. There were about 50 customers of our
clients, that were affected.
Mr. Stearns. OK.
Ms. Fitzgerald. And we notified them.
Mr. Stearns. Would you provide the committee the complete
list of those?
Ms. Fitzgerald. The names of those clients are subject to
agreements that we have with them, and we are supposed to keep
those confidential.
Mr. Stearns. So you cannot provide us----
Ms. Fitzgerald. So we notified them promptly so they
could----
Mr. Stearns. No, I know you notified them, but you cannot
provide the committee with these names? Is that what you are
saying today?
Ms. Fitzgerald. Not at this point, no.
Mr. Stearns. Now, I have in our material that some of these
people are J.P. Morgan Chase, Capital One, Citibank, Best Buy,
Verizon, Target, Home Shopping Network, and Verizon. Is that
part of the 50 to 75?
Ms. Fitzgerald. I recognize most of those names as being
ones that sent us notification----
Mr. Stearns. They are people that have huge number of
people, so the impact of this 50 to 75, we cannot even
comprehend how many Verizon has. So can you extrapolate, not
telling us in detail, but if Verizon is one of your customers
and you had a breach with the emails and names, does that mean
that perhaps millions of names from Verizon had been breached?
Ms. Fitzgerald. There could be many.
Mr. Stearns. Just yes or no.
Ms. Fitzgerald. Yes.
Mr. Stearns. Yes, oK. Now, with Sony, the question is, as I
understand it, the password for the Sony PlayStation was
breached. Is that correct?
Mr. Schaaff. Well, we believe that there were a number of
different types of information accessed, including first name
and last name, address, date of birth, login, password, login
address----
Mr. Stearns. For the Sony PlayStation?
Mr. Schaaff. For the Sony PlayStation Network, yes.
Mr. Stearns. OK. And what about their credit cards?
Mr. Schaaff. As I said, we had originally stated that there
was a possibility. We could not rule out the possibility that
the credit card information had been accessed. At this point in
time, we do not see any evidence that it has been.
Mr. Stearns. OK. When you look at the person's credit card
together with personal information, his password for Sony
PlayStation, would one person have all of that breached for
that one person or is it segmented so somebody got their
password, somebody got their credit card, somebody got their
person or is all this information together when it was
breached?
Mr. Schaaff. It is difficult for us to know exactly which
data was taken, but it is likely that they would have been
taken together, but we don't know for which accounts that would
have been.
Mr. Stearns. And what is a conservative estimate the number
of people were affected by this breach?
Mr. Schaaff. Well, so we have announced that there were
approximately 77 million accounts that could have been
accessed. When we took the network offline, obviously all of
our customers were affected for the period of time that the
network has been down, but that is part of the reason why we
have provided the identity theft insurance, identity theft
protection program, and these welcome back programs was to
appreciate and acknowledge the loss of access to the network
that our customers experienced and to address the concerns that
they may have regarding the loss of their personal information.
Mr. Stearns. Is it true that you brought suit to protect
your IP against the hackers of PlayStation III device?
Mr. Schaaff. That is true.
Mr. Stearns. Why did you bring this suit?
Mr. Schaaff. Well, just like the music industry and the
movie industry, the PlayStation business is built upon
intellectual property. Content providers invest millions of
dollars to create titles that we then help them to distribute
in our business and the employment of literally tens of
thousands of people around the country.
Mr. Stearns. Knowing what has happened to you with this
breach, would you say that you would do it again?
Mr. Schaaff. I am sorry. I didn't hear the question.
Mr. Stearns. Knowing what has happened with this breach,
would you go ahead and have done that suit again in hindsight?
Mr. Schaaff. Well, I think this is one of the great
challenges right now is how do companies protect their content
businesses? I mean I think we made the right decision. Did it
have consequences? It appears to have had some fairly negative
consequences for the company. But if we hadn't done something,
I think it would be playing out in a different company later
on.
Mr. Stearns. OK.
Mr. Schaaff. I think this is a big issue for the Nation.
Mr. Stearns. Now, assuming we have federal legislation, do
you think federal legislation to address security breaches
would help? Because I understand both of you are in States
where we have state legislation and that didn't seem to
necessarily force you to have a secure data security
department. So why would federal legislation make it better
than the States who have already passed? And you didn't comply,
evidently, with the States.
Mr. Schaaff. Well, actually, I think that the issue
regarding the States' rights--I am not a lawyer. Let me mention
up front I am not a lawyer.
Mr. Stearns. Right.
Mr. Schaaff. But my understanding here is that there are a
variety of laws in a number of the States, but the laws are
often seemingly in conflict and they can create very
complicated situations for us to understand how we should
behave properly with regard to notification obligations.
Regarding the security of the network, I think the evidence of
Epsilon, of Sony, of many other companies that have been
reported in the news in the last several weeks indicates that
despite spending millions of dollars to secure your networks,
despite all of the best methods known to us, our networks are
not 100 percent protected. It is a process that requires
continual investment, and we do that, but I think without
additional support from the government, it is unlikely we will
all collectively be successful, and that will threaten the
livelihood of the internet, the growing internet economy.
Mr. Stearns. Thank you.
Mrs. Bono Mack. The gentleman's time has expired. The chair
recognizes Mr. Guthrie for 5 minutes.
Mr. Guthrie. Thank you, Madam Chairman, for having this
hearing. I appreciate it very much.
So just to follow up on what Mr. Stearns said, the
patchwork of state laws, the different state jurisdictions
complicated your ability to respond? You didn't say that. Is
that what I heard?
Mr. Schaaff. I was responding specifically to the issue
about the notification obligation.
Mr. Guthrie. Right, the notification state laws.
Mr. Schaaff. It is my understanding that there are some
conflicting obligations there.
Mr. Guthrie. So a federal standard would be----
Mr. Schaaff. A federal standard that would preempt the
states would be extremely helpful.
Mr. Guthrie. OK. I just want to get kind of the nature--so
Epsilon is a vendor for you? Is Epsilon a vendor for Sony? So
did the hacker go to Epsilon into Sony or Sony to Epsilon to
get to the other--how did that work?
Mr. Schaaff. I am sorry. Let me clarify. These are actually
two completely separate breach events.
Mr. Guthrie. OK.
Mr. Schaaff. So the activity at Epsilon was completely
unrelated to--as far as we know--what happened at Sony.
Mr. Guthrie. So you are not a vendor with Epsilon? This is
two completely separate--oK. So the other customers--oK. I was
thinking--I apologize. But your other customers, they came--the
Epsilon, they got to your system, and then through your system
were able to--at least the companies that you notified, the
Verizons, the Krogers that was mentioned earlier, that was how
that breach worked?
Ms. Fitzgerald. So as a vendor, our ability to send out
email addresses on behalf of those clients requires us to
maintain those email addresses for them.
Mr. Guthrie. Right.
Ms. Fitzgerald. And that is how the hackers got in and got
that information.
Mr. Guthrie. OK. OK. Has Sony been victim before of any
type of breach? And if so, how did that--not to this level, I
know, but----
Mr. Schaaff. We certainly experience a constant level of
fraud, and we are under regular probing by hackers and others.
I mean I think it is a standard part of anybody who is in the
internet business these days.
Mr. Guthrie. And for both of you, too, I know I am
manufacturing background and we did ISO 9000, which was a set
of standards for quality control. They have ISO 14000, a set of
standards for environmental--and they are good practices to
follow, but they leave a lot of interpretation to the
businesses because otherwise they are formed by committee, and
it would be difficult to change every time something needs to
be changed. I am not familiar with this particular standard
that you are talking about, but is it sufficient if you follow
the ISO standards to--I guess my question is your industry is
so fast-changing that when you are in the automotive industry,
which I am in, you put a standard in place, it takes a while
for things to innovate that the standard is out of date. It
appears to me when I saw ISO that it would be difficult for
them to keep up with the changes in the industry or, I guess
what I am saying, the ability of people who hack to innovate to
find new ways into your system. So is it sufficient--I guess
ISO being certified sufficient, you think?
Ms. Fitzgerald. We don't use the ISO as the only thing we
do. We have lots of audits by our clients. We have 70 audits we
have to do. And then, frankly, we have our own security program
where we are continually trying to upgrade our systems and to
make sure that we make things as tight as we can, but the
hackers are very sophisticated. This wasn't some guy in a
garage just coming after us. These are sophisticated guys. And
I have talked to the Secret Service enough times now to know
that we are not the only one and that they are working with the
FBI. And there is a concerted effort to go after these guys.
Mr. Schaaff. Um-hum. Yes, I would concur. I mean I think
these guidelines and standards are important for the industry
to move forward, but they are far from sufficient. And if they
had been sufficient, I, you know, I wouldn't be here. And I
think that we are all under attack and without additional
measures to be taken and without kind of constant renewal of
our practices, it is not going to be sufficient to fight the
latest attacks.
Mr. Guthrie. OK. Thank you. I guess one thing that I am
really kind of concerned about as we move forward, I know
Sony--any time you spend money because somebody did something
illegal, that is an inefficiency to everybody. But the two- or
three-store small business in Kentucky that maintains their
clients files and just having the resources to be able to
respond to protect their clients, to protect their customers.
And just do you have any estimate of how much money just these
events are going to cost your firm and hits, you know, the
economy overall because that is what----
Mr. Schaaff. I believe we have made statements publicly
estimating a cost something in the range of $170 million for
this particular incident. And obviously, as you note, for
smaller businesses, number one, the ability to secure their
networks as effectively is less because of the economics of
that. And the evidence that I have seen in various reports
suggest that the prevalence of successful attacks on small and
midsize businesses is even higher than we see with the larger
companies. It is a scary situation.
Mr. Guthrie. Well, thank you. I yield back to the
chairwoman.
Mrs. Bono Mack. I thank the gentleman and the chair notes
that we are being called to the floor for votes. My intention
is to try to get through two more member questioning 5-minute
segments before we recess. So the chair now recognizes Mr.
Olson for 5 minutes.
Mr. Olson. I thank the chairwoman. And again, I thank the
witnesses for coming and giving us your expertise, your time
today.
As I stated in my opening statement, my home State of Texas
experienced a serious and troubling data breach earlier this
year. Names, addresses, social security numbers, and in some
cases, birthdates and drivers' license numbers of state
retirees and unemployment beneficiaries were posted unencrypted
on a public server. In response, our state attorney general and
the FBI have launched a criminal investigation into this data
breach. Unfortunately, these kind of breaches are happening
more frequently and they cause businesses tens of billions of
dollars annually. The Federal Trade Commission estimates that 9
million individuals in the United States have their identities
stolen every year. This is the equivalent of approximately 17
identities stolen every minute. That means that during the
course of this hearing, if all of my colleagues and I take up
our full 5 minutes, 85 IDs across this country will have been
stolen.
In response to the Texas data breach, the comptroller of
public accounts launched a Web site called Texas Safeguard,
which was created as a tool for Texans to receive up-to-date
information about the breach, along with recommended security
steps to take. And of note, they actually put a toll-free
number up for folks to call and the comptroller is offering
credit monitoring at no charge. There is also a frequently-
asked-questions page which outlines six steps people can take
to protect themselves.
But this burden is placed upon these victims of this breach
and they have got to spend their own time enrolling in credit
monitoring, placing fraud alerts on their credit files,
requesting credit reports, and so on, and so on, and so on. Ms.
Fitzgerald, Mr. Schaaff, given the breaches your companies have
experienced and all the heartache and lost revenue, all the
upset customers, all the resources you have had to expend to
determine how these breaches occurred, I don't want to put
words in your mouth, but you do think that there is a clear
need for a comprehensive federal data breach and notification
law, one that will create a uniform standard and preempt the
current patchwork of state laws? Yea, nay?
Ms. Fitzgerald. I do believe that it would be great if we
had a federal data breach notification law that did preempt all
of the state laws so it would be straightforward and companies
would know exactly what they needed to take care of and who
they needed to notify and when they needed to notify?
Mr. Olson. Mr. Schaaff?
Mr. Schaaff. Sony is also very supportive of such
legislation and we would be very happy to participate and help
in the formation of that legislation.
Mr. Olson. All right. Thank you. And Ms. Fitzgerald, this
is just for you, but why did you choose to contact law
enforcement, the FBI, and the Secret Service as soon as you
became aware of the incident? And is this a typical response
for Epsilon to get law enforcement involved when a breach
occurs when you don't necessarily know the extent of it?
Ms. Fitzgerald. Well, we knew pretty quickly that there had
been some data that had been downloaded and taken by somebody
who wasn't authorized, and therefore, it was a criminal act in
our mind. And so we went to look for law enforcement, the right
ones to help us go after the bad guys.
Mr. Olson. OK. And for you, Mr. Schaaff? I know you and
PlayStation had one heck of an April. But why did you conclude
that notifying PlayStation Network customers via the
PlayStation blog was, as you stated, ``one of the best,
fastest, and most direct means of communicating with
customers?''
Mr. Schaaff. In the years that PlayStation has been in
business, we have managed this blog and it has become a very,
very popular source of information for our customers about new
game titles and all kinds of information related to
PlayStation. And we know that it is a good way to get a message
out to customers quickly. Of course, that wasn't the only way
we communicated with our customers. We did follow up with
public announcements through other channels, as well as email,
direct emails to the consumers following the breach.
Mr. Olson. OK. And one final question about sort of how you
are prepared for this. I mean I know, Ms. Fitzgerald, for your
testimony Epsilon had reactive plans in place ready to go if
some sort of breach happened, and I assume that is the same for
Sony.
Mr. Schaaff. Absolutely.
Mr. Olson. But, I mean, is there a specific entity within
both of your companies that is proactive? I mean somebody you
have got in your company that sort of looks at your security
systems and tries to penetrate it, tries to find the
weaknesses; I mean sort of a proactive approach instead of
reacting to a breach, preventing a breach by recognizing
weaknesses within the company?
Mr. Schaaff. We have a successful approach the security
involved both proactive as well as reactive approaches, and we
definitely have those kinds of resources in place in my company
and in Sony Corporation as a whole, an important part of our
process.
Ms. Fitzgerald. And I would agree with that also. Epsilon
has that.
Mr. Olson. OK. I see I am down to 16 seconds. I thank the
witnesses again for your time. And at the risk of getting
crosswise with the chairwoman and Mr. Stearns left, but go
Mavericks.
Mr. Schaaff. Thank you.
Mrs. Bono Mack. The chair recognizes Mr. Harper for 5
minutes.
Mr. Harper. Thank you, Madam Chair. I would ask you, Mr.
Schaaff, why did it take Sony approximately 7 days to notify
customers that their personal data had been compromised?
Mr. Schaaff. Well, the basic essence here was the find the
right balance between notifying customers as soon as we had
some sense that something had gone wrong but not being
irresponsible in that notification and creating undue stress or
concern within the customer base. We immediately began an
investigation and we were able to notify customers within a
couple of days that we had had an unauthorized external
intrusion. But it took us several more days to be able to
clearly discern what information had been taken and even at
that point, we were not able to rule out the possibility that
credit card information had been taken. Nevertheless, we went
ahead and made a public statement regarding the potential of
those losses.
Mr. Harper. I just want to be clear. So how long was it
before any customers got notification?
Mr. Schaaff. We first discovered unusual activity on the
19th. We shut down the network on the 20th of April, and we
notified consumers on the 22nd of April. So it was basically 2
days.
Mr. Harper. Did you notify all the consumers at that point?
Mr. Schaaff. Well, so at that point we were intensely
involved in this investigation to try to figure out what to
notify the customers about. And so at that time we notifying
using the blog that we believed that there had been an
intrusion. And then beginning on the 26th when we made a lot of
public announcements related to specific information that may
have been lose we initiated through news channels, obviously
our blog, as well as through a direct email campaign to the
customers detailed information about the nature of the loss.
Mr. Harper. How many notifications did each consumer
receive?
Mr. Schaaff. Well, my understanding is that in regard to
the Sony PlayStation breach, that should have been
approximately 77 million emails that were sent.
Mr. Harper. Now, I understand but were they notified more
than one time as you learned additional information?
Mr. Schaaff. Well, we notified via the blog on the 22nd. We
provide updates on that blog on a regular basis as to kind of
the concurrent state of affairs, but I believe in terms of the
email notifications related to the potential loss of data, that
was a one-time event.
Mr. Harper. Do you believe the news that you passed on,
looking back now, do you believe it was done quickly enough?
Mr. Schaaff. What I would say is that we tried very, very
hard to find the right balance there, and I believe that if we
had responded earlier, it would have probably been
irresponsible. Even to this day we question whether we should
have taken a little bit more time to finish the investigation
with regard to the credit card information. I believe we
probably struck the right balance, but it was a tough call.
Mr. Harper. And I know there was a letter that was sent out
on May 3 where you had indicated that there was no evidence of
misuse of the customers' personal information that was accessed
during that breach. We are a month past that point. Is that
still your position on that?
Mr. Schaaff. When we talked to the credit card companies,
they have still told us that they see no signs of unusual
activity related to this breach.
Mr. Harper. And do you know where the attacks originated?
Mr. Schaaff. Unfortunately, at this time we don't.
Mr. Harper. OK.
Mr. Schaaff. We are working with law enforcement and others
to try to figure that out, but at this time we don't have any
clear----
Mr. Harper. Of course, we certainly hear media reports or
speculation, and I know you don't have it with any certainty,
but there was one report that initially suggested that Amazon's
pay-per-use cloud service may have been used. Is there any
accuracy to that or any proof of that?
Mr. Schaaff. Well, so what I know is the FBI is
investigating that report, and at this time I don't have any
other information about whether that is true or not.
Mr. Harper. Now, does Sony Online Entertainment and Sony
Network Entertainment, are they using the same server models
and security protections and the software?
Mr. Schaaff. We comply with the same types of industry
practices and are subject to the same policies as far as being
a part of the Sony Corporation. The specific architecture of
each of those services is probably different because the types
of services that we provide are different. But, you know,
across the industry, most internet service providers are
building their services out of largely the same basic
components so there is probably a lot of commonality there.
Mr. Harper. Thank you. Madam Chair, I yield back the
balance of my time.
Mrs. Bono Mack. I thank the gentleman. And at this point in
time we are going to recess the committee to head over to the
floor for vote. And our intention is to return as soon after as
we can from the series of votes. It should be about 45 minutes
is my guess. Things could change. So the subcommittee stands
recessed until after the last vote on the floor.
Ms. Fitzgerald. Thank you.
[Recess.]
Mrs. Bono Mack. The subcommittee will reconvene and come to
order obviously. I wanted to thank you very much for indulging
us and apologize that there has been a slight little change of
plans with the minority headed over to the White House for a
very important meeting with the President. We have agreed that
we would conclude questions.
But before I do that, I would like to offer the two of you
the opportunity to give us any final thoughts you might have
and any recommendations for legislation as we move forward in
the process here. So I recognize each of you for 5 minutes to
do that. And you don't have to take the full 5 minutes if you
would like, but the time is yours if you would like it.
Ms. Fitzgerald. Thank you. Honestly, as we have thought
about this, we would greatly appreciate the opportunity to work
with you and your staff and any members of your subcommittee to
create a national data breach notification standard. The
details within it would have to be worked out as we think
through what would be all the ramifications. And I think
clearly I would not be the only one with experience, but we
would love to work with that on you.
Mrs. Bono Mack. Mr. Schaaff?
Mr. Schaaff. Thank you. I want to thank you again for the
opportunity to come and speak today and especially thank you
for all the work you have done related to intellectual property
protection. This is a really critical part of the work we are
trying to do to build and grow our business.
As you heard in our testimony today and in the private
session where we shared more technical details regarding the
breach yesterday, despite taking what we believe to be
extremely appropriate and substantial steps to build a safe and
protected network, hackers were able to get into the network.
The thing that is frightening about this is it is easy to focus
on Sony and look at the things that we might be able to do in
the future to strengthen our network, but the reality is
because we are all building our networks out of the same basic
ingredients, if there is a weakness in the way that we have
built things, chances are, the weaknesses may lie in the
components that we rely on from the variety of vendors that we
all build our products out of. And I think that we are working
together as industry to try to strengthen our processes and our
practices and our technologies, but I think the conclusion that
I would leave you with today is that without further assistance
from the government, I think that we are all going to have a
world of hurt in this internet economy. And we really would
appreciate and request your assistance.
And regarding the specific legislation, we are also
extremely supportive of this and would welcome the opportunity
to contribute and speak to you further regarding its
development. Thank you.
Mrs. Bono Mack. Well, I thank you both very much. And Mr.
Schaaff, I would also like to address a comment earlier about
the question of would you or would you not file suit again to
protect your intellectual property, and I wanted to commend you
on your answer. And I am glad that you did it then. And you
know, too often people are afraid of being hacked and the
retribution because of the decisions you make.
Mr. Schaaff. It can be a lonely place.
Mrs. Bono Mack. Well, I want to applaud you for that. And
again, thank you both very much for the spirit with which you
came before us today and the spirit of cooperation. I think the
committee is very excited about the opportunity to work with
you and to craft good legislation.
So we have a unique opportunity now as a subcommittee to
make certain that the future cyber attacks on American
consumers will never again be a silent crime.
So at this point I would like to remind all members they
have 10 business days to submit questions for the record, and I
ask witnesses to please respond promptly to any questions they
receive. And the hearing is now adjourned.
Mr. Schaaff. Thank you very much.
Ms. Fitzgerald. Thank you very much.
[Whereupon, at 2:14 p.m., the subcommittee was adjourned.]
[Material submitted for inclusion in the record follows:]
Prepared Statement of Hon. Henry A. Waxman
I would like to thank Chairman Bono Mack and Ranking Member
Butterfield for following this important issue. Data security
is not a partisan issue. It is an issue that affects all of us
because sooner or later everyone is vulnerable to cyber
attacks: private sector companies of all sizes; federal, state
and local governments; and the American public.
Just yesterday, we learned of an attempted attack on Google
email accounts that included efforts to steal email passwords
and other information from high-ranking government and military
officials--a stark reminder of the financial and national
security risks posed by hackers.
At last month's hearing titled ``The Threat of Data Theft
to American Consumers,'' we reviewed how the federal government
investigates data breaches and what it should do to ensure that
private sector companies protect the personal information of
their consumers.
Today we are going to hear from Sony and Epsilon, two
companies that recently suffered massive data breaches.
We have all heard the numbers: the personal information in
over 100 million user accounts was compromised in the Sony
breach. The customers of more than 50 major corporations were
affected by the Epsilon breach, including customers of Target,
Best Buy, JP Morgan, and US Bank.
While we will delve into the specifics of these two
breaches, the point isn't to make an example of these two
companies. We need to know how these breaches happened and to
find out what these companies are doing, and what they can do
better. And we need to understand the appropriate federal role
in this area. We need a government that can partner with
companies to make sure they do a better job protecting the
information they demand of consumers.
As I said at the last hearing, the private sector can, and
must, safeguard personal information. If companies do not take
reasonable steps to guard their data and they suffer a cyber
attack or data breach, the cost to consumers can be immense.
When it comes to data security, prevention is the best
medicine and certainly the cheapest. Yet too many companies are
not doing enough prevention and consumers are paying the price.
We in Congress also have a role; we can conduct oversight
and legislate when needed. The recent attacks on Sony, Epsilon,
and now Gmail are proof that it is indeed time to legislate. In
particular, Congress should pass the Data Accountability and
Trust Act; H.R. 2221 from the 111th Congress.
The bill requires companies to have reasonable data
security measures in place and to notify consumers once a
breach has occurred. It passed the House last Congress with
strong support from both sides of the aisle. We should take
swift action to pass it in this Congress.
I look forward to today's hearing and working together to
ensure that the private sector is doing all that it can to
protect the personal information of the American people.
----------
Prepared Statement of Hon. Edolphus Towns
Thank you Chairman Bono-Mack and Ranking Member Butterfield
for holding this hearing today on the importance of Data
Security to our nation. The information age has ushered in a
new era in technology that offers many Americans the ability to
access, store and transfer massive amounts of information at
any given time. With the advent of the internet and the
advancement of e-commerce, Americans have been able to engage
in a variety of online activities that require personal
information to be shared in cyber space.
Unfortunately more often than not this information is
compromised by computer savvy individuals that use this
information to access the identity of their victims. Data
breaches have become more common in recent years due to the
massive amounts of personal information that are stored on
computer servers which many people thought were secure. In
April of this year Sony Corporation and Epsilon Data Management
revealed they had been involved in two of the biggest data
breaches this year. Sony made public that its Play Station
Network had been breached on April 26th, 2011; however the
breach took place one week prior to their notification of Play
Station account holders. The Sony Play Station Network has over
77 million accounts that were compromised due to this lapse in
security. It is my hope that this hearing will shed light on
how this breach was able to take place and why it took a week
for Sony to notify its account holders.
Epsilon Data Management LLC is one of the largest email
marketing companies in the country. Over 40 billion emails are
sent from this company annually to consumers. On April 1, 2011
Epsilon revealed that an unauthorized entry to its email system
had occurred, exposing the personal information of several
million customers of companies employing Epsilon for marketing
purposes. Reportedly consumer information had been available
for months.
Consumers must feel safe in knowing that the information
that they share with companies involved in e-commerce is safe
and secure. The recent data breaches at the Sony Corporation
and Epsilon Data Management raise questions about what
protocols are in place to protect consumers against hackers who
would do them harm. Currently there is no comprehensive federal
law that requires all companies that hold consumer's personal
information to implement reasonable measures to protect that
data.
I look forward to working with my colleagues on this
committee to ensure the American people that their personal
information is kept safe from malicious cyber attacks.
Thank you madam chair, I yield my time.
----------
[GRAPHIC] [TIFF OMITTED] T1258.046
[GRAPHIC] [TIFF OMITTED] T1258.047
[GRAPHIC] [TIFF OMITTED] T1258.048
[GRAPHIC] [TIFF OMITTED] T1258.029
[GRAPHIC] [TIFF OMITTED] T1258.030
[GRAPHIC] [TIFF OMITTED] T1258.031
[GRAPHIC] [TIFF OMITTED] T1258.032
[GRAPHIC] [TIFF OMITTED] T1258.033
[GRAPHIC] [TIFF OMITTED] T1258.034
[GRAPHIC] [TIFF OMITTED] T1258.035
[GRAPHIC] [TIFF OMITTED] T1258.036
[GRAPHIC] [TIFF OMITTED] T1258.037
[GRAPHIC] [TIFF OMITTED] T1258.038
[GRAPHIC] [TIFF OMITTED] T1258.039
[GRAPHIC] [TIFF OMITTED] T1258.040
[GRAPHIC] [TIFF OMITTED] T1258.041
[GRAPHIC] [TIFF OMITTED] T1258.042
[GRAPHIC] [TIFF OMITTED] T1258.043
[GRAPHIC] [TIFF OMITTED] T1258.044
[GRAPHIC] [TIFF OMITTED] T1258.045
�