The US Congress needs to pass new data security regulations for businesses in response to recent data breaches at Sony, Epsilon and other companies, members of a US House of Representatives subcommittee said Wednesday.
The data breaches at Sony, involving more than 100 million accounts on its PlayStation and Online Entertainment networks, and at email marketing firm Epsilon, involving about 50 of its business customers, are "deeply" troubling, said Representative Mary Bono Mack, chairwoman of the House Energy and Commerce Committee's commerce and trade subcommittee.
Since 2005, companies have reported about 2,500 data breaches involving hundreds of millions of customer records, said Bono Mack, a California Republican. "This begs the important question: If we don't do something soon, what's next?" she said. "And where does it end?"
The subcommittee invited representatives of Sony and Epsilon, which reported their data breaches in the past two months, to testify during the hearing, but both companies declined, instead sending written responses to lawmakers' questions. Bono Mack called the companies' refusal to testify "unacceptable".
Sony is still investigating the breaches, a spokesman for Bono Mack said.
Several lawmakers said they planned to use 2009's Data Accountability and Trust Act as a starting point for new legislation. The DATA Act, introduced by Representative Bobby Rush, an Illinois Democrat, failed to pass through Congress.
Rush's bill would have required organisations holding personal data to maintain security policies and to notify affected consumers after a data breach. The legislation would have allowed civil penalties of up to $5 million (£3 million) for organisations that do not take adequate security measures and organisations that do not notify consumers of data breaches.
The Sony breach has the "potential to become the Great Brink's Robbery of cyber-attacks", Bono Mack said.
"Like their customers, both Sony and Epsilon are victims, too," she added. "But they also must shoulder some of the blame for these stunning thefts, which shake the confidence of everyone who types in a credit card number and hits enter. E-commerce is a vital and growing part of our economy. We should take steps to embrace and protect it - and that starts with robust cybersecurity."
Months before Sony announced the breach, security researchers revealed that the company was running an outdated and unpatched version of the Apache Web server, said Eugene Spafford, executive director of the Purdue University Center For Education and Research in Information Assurance and Security.
Sony spokespeople did not immediately respond to a request for comments, but in the company's written response to the subcommittee, the company said PlayStation Network intruders used "very sophisticated and aggressive techniques to obtain unauthorised access, hide their presence from system administrators and escalate privileges inside the servers".
However, several subcommittee members questioned whether many US businesses were taking necessary steps to protect their data. Representative Brett Guthrie, a Kentucky Republican, asked if businesses are "sloppy" or if cybercriminals are "just a step ahead".
In nearly all data breaches, businesses haven't taken reasonable precautions, said Pablo Martinez, deputy special agent in charge of the Criminal Investigative Division at the US Secret Service. In its 2010 data breach investigations report, Verizon Business found that 96 percent of breaches were avoidable through simple or intermediate controls, Martinez noted.
"A lot of times, it's that some of these security measures that should be in place, just aren't fully implemented," Martinez said. "Although we do have criminals that are highly sophisticated, and we have seen the amount of attacks due to hacking increase, a lot of these attacks could have been avoided had best practices been applied."
Asked if US businesses were taking enough action to prevent attacks, all four witnesses at the hearing answered "no".
One lawmaker questioned how businesses know they've lost data. "I've not been a victim that I know of," said Representative David McKinley, a West Virginia Republican who ran his own architectural and construction firm before he was elected to Congress in 2010.
"How does a company know that it's been breached?" he said. "Would our IT person have seen a breach? Would he have seen something flashing?"
In some cases, a business loses a laptop containing consumer data, or system logs show unauthorised access, witnesses told him. McKinley then asked if all small businesses have system logs showing data breaches.
Some do and some don't, Spafford said.