Huge Data Theft Causes Renewed Push for National Data Breach Law

Those in Washington know that the best way to get steam behind a public policy issue is by building on the momentum of a national news cycle. Well this week the Energy and Commerce Subcommittee on Commerce, Manufacturing and Trade held a hearing entitled “The Threat of Data Theft to American Consumers”.

The hearing was in response to Sony’s announcement on April 26 of a massive data breach caused by computer hackers that resulted in the theft of 77 million user accounts. What caused an even greater uproar was that Sony announced the breach seven days after the incident occurred. To make matters worse, Sony subsequently announced that the 77 million data theft was preceded by a data theft a week earlier that resulted in the loss of 25 million user records due to a hacker attack. The data stolen contained names, addresses, birth dates, phone numbers and other similar type of information.

During the hearing, there was testimony from David Vladeck, director bureau of consumer protection, Federal Trade Commission; Pablo Martinez, deputy special agent in charge, Criminal Investigative Division, U.S. Secret Service; Justin Brookman, director consumer privacy project, Center for Democracy and Technology, and Dr. Gene Spafford, executive director, Purdue University.

Most of the panelists agreed that Sony’s data breach could have been avoided easily by updating its software with security patches and applying simple encryption techniques. It also was reported that a Sony user forum noted that Sony had failed to provide minimum security measures several months before the April breaches occurred. This only served to irritate the members of the subcommittee, including Subcommittee Chair Mary Bono. It also did not help that Sony refused to send a company representative to participate in the hearing.
The good news is that this and other similar types of breaches has initiated a renewed discussion on the need for a national data breach law that preempts the existing patch work of state laws that now number at about 42. In fact, Vladeck specifically stated during the hearing that he supported a national data breach law, as did the other members of the panel. The specifics will have to be worked out, but Subcommittee Chair Bono announced that she will introduce a national data breach law in the near future. As is in all cases, the devil will be in the details.