House Committee Generates Support for Data Security Legislation

Executives from Sony Network Entertainment and Epsilon Data Management recently testified at a House Energy and Commerce Committee hearing.  Ostensibly, the hearing was held to further examine the recent Sony and Epsilon data breaches, and the state of the ongoing investigations.

While there was some gentle criticism related to the handling of the breaches, the take away from the hearing was further support for national data breach security legislation.  Perhaps the “what can we do about it” and less finger-pointing tone is due to the recent spate of security incidents involving other high profile companies.

In fact, in the days before the hearing, defense contractor Lockheed Martin reported an attack, possibly linked to an earlier RSA SecurID hacking incident.  Google also reported that Gmail accounts, including those of senior Obama administration officials, were targeted by China-based hackers. In the meantime, a hacking group claimed that it had recently accessed personal information from various Sony websites, continuing the cyber crimewave that has hit Sony over the last few months.

In this atmosphere, where it seems any entity can and will fall victim to cyberattackers, it is no wonder that both Sony and Epsilon voiced support for national data breach legislation.  Epsilon’s General Counsel stated that Epsilon fully supports a uniform standard for data breach notification and the current patchwork of state laws only creates confusion and increases costs.  Sony also backed the enactment of cyber-security legislation that would preempt the numerous state laws.

Rep. Mary Bono Mack (R-CA), who chairs the House subcommittee that held the hearings, promised to work with colleagues to pass comprehensive data security legislation in order to protect Americans from cyber crimes.  This is not the first time that such national legislation has been proposed, but as the wave of high publicized cyberattacks continue, Congress may now feel it has no choice but to act.

It is unclear how a national standard will help protect Americans, as opposed to simply making it easier for companies that experience a breach to comply with notification laws. 

It is the unrelenting cyberattacks that are the source of the problem.  Figuring out a way to stay a step ahead of the attacker is a much more difficult issue.  Perhaps the cart before the horse approach (notifying after the fact, rather than stopping the attack in the first place) is better than simply doing nothing.