Sony made a “half-hearted, half-baked” response to cyberattacks that compromised personal information for as many as 100 million people, Rep. Mary Bono Mack, R-Calif., told a subcommittee hearing on data breaches on Wednesday.
Sony and Epsilon are victims, too, Bono Mack said--both reported losing consumer information a month ago. But she took the companies to task for not testifying at the House Commerce's Subcommittee on Commerce, Manufacturing, and Trade hearing, which was packed with reporters from Japanese media outlets.
Sony was slow to notify consumers about the attacks that compromised personal information in 77 million PlayStation Network accounts and 24.6 million Sony Online Entertainment accounts, said Bono Mack, who chairs the subcommittee.
“Why weren’t Sony’s customers notified sooner of the cyberattack?” Bono Mack asked. “I fundamentally believe that all consumers have a right to know when their personal information has been compromise,” she added.
“Sony put the burden on consumers to search for information, instead of accepting the burden of notifying them.”
Sony defended its response to the breach and said it had received no reports that the stolen information has been used illegally.
“I hope you can appreciate the extraordinary nature of the events the company was facing--brought on by a criminal hacker whose activity was neither immediately nor easily ascertainable,” Kazuo Hirai, chairman of the board for Sony Computer Entertainment America, said in a written response to the subcommittee.
“I believe that after you review all the facts, you will agree that the company has been acting in good faith to release reliable information in accordance with its legal and ethical responsibilities to its valued customers.”
On Tuesday, Sony announced that it had hired outside investigators to help secure its networks and catch the hackers.
Hirai hinted that the attack on the Sony Online Entertainment accounts came from the cybergroup Anonymous as retaliation for a Sony lawsuit against a hacker.
Epsilon, the world's largest e-mail marketer, was hacked last month and details of just what information the hackers got are still coming out.
Gene Spafford of Purdue University testified that Sony knew it was using outdated software months before the attacks.
David Vladeck, director of the FCC's Bureau of Consumer Protection, refused to say whether the agency is investigating Sony. Since 2001, the Federal Trade Commission has brought 34 cases against companies for not protecting consumer information, according to a statement from the commission submitted to the subcommittee.
The U.S. Justice Department has said it is investigating who might be behind the attacks.
The Privacy Rights Clearinghouse says that more than 2,500 data breaches have exposed 600 million records since 2005. And at Wednesday’s hearing, witnesses and lawmakers agreed that cyberattacks are on the rise and are taking a toll on the economy.
“Given its growing scale and persistence, it is appropriate to question whether enough is being done to solve the data-breach problem," said Justin Brookman, director of consumer privacy for the Center for Democracy & Technology, although he added that "some state and federal regulations require companies to notify affected companies with adequate incentive to properly protect consumers’ data in the first place."
Bono Mack also asserted that American consumers are under “constant assault,” and she said she would introduce legislation to require companies to promptly alert consumers.
“This ongoing mess only reinforces my long-held belief that much more needs to be done to protect sensitive consumer information,” Bono Mack said. She gave no timeline for introducing her bill, but said she would start meeting with stakeholders "immediately."
Want the news first every morning? Sign up for National Journal’s Need-to-Know Memo. Short items to prepare you for the day.