In April and May, Sony experienced one of the largest data security breaches in history.
More than 100 million users had their data compromised, data that included identifying information like names, birth dates and at least some partial financial information and payment card details. Originally, Sony announced that cyber-attacks taking place on April 17 and April 19 had spilled data from 50-75 million accounts out into the open, only later adding another 24.6 million accounts to that grand total following an additional breach in early May.
While the breach itself was big news, especially with a grand total of compromised users that was twice that of the famed 2007 TJX breach, in which nearly 46 million customers had their data stolen, what was even bigger news was Sony's response to the network intrusion.
Sony shutdown the compromised network on April 20, and, a little less than a week later, issued an email and a blog posting notifying customers that there was a breach, that an unauthorized assailant had obtained users' names, addresses, countries, email addresses, birthdates, passwords and logins, and that while there was no evidence that credit card data had been taken, Sony could not "rule out the possibility."
A little less than a week doesn't sound like that much time in the scheme of things, but in terms of data breaches, the six days between the intrusion and shutdown and the blog posting may as well have been a lifetime.
"When a data breach occurs, it is essential that customers be immediately notified about whether and to what extent their personal and financial information has been compromised ... I am concerned that PlayStation Network users' personal and financial information may have been inappropriately accessed by a third party,' said Sen. Richard Blumenthal (D-CT) in a letter to Sony on April 26. "Compounding this concern is the troubling lack of notification from Sony about the nature of the data breach. Although the breach occurred nearly a week ago, Sony has not notified customers of the intrusion, or provided information that is vital to allowing individuals to protect themselves from identity theft, such as informing users whether their personal or financial information may have been compromised."
Sony would go on to ignore Blumenthal's letter, prompting the junior senator to send another in early May, following the revelation of the even greater scope of the data theft. "Sony's failure to adequately warn its customers about serious security risks is simply unconscionable and unacceptable" he said. "The company should do everything in its power to promote transparency and speed notification in order to protect its users against identity theft and financial fraud'
Blumenthal wasn't alone in his outrage, and several other, more senior legislators took the Sony breach, and the Citigroup breach that followed only days later, as a sign that the time had come for Congress to act.
Some could view this as yet another example of Congress nobly striding in to shut the stable door after the horse has already escaped. Nonetheless, there are many in Congress who have held out hope session after session for the establishment of a nationwide data security and breach notification standard. Currently, there's a patchwork of 47 state law legal frameworks, but no federal law to supersede these and bind all states to the same standard.
"This is a new cost of business in America,' said Sen. John Rockefeller, IV (D-WV), a cosponsor of one of the two bills currently being considered in Congress that would enact a nationwide data security and breach notification standard.
"When criminals break into a database, they can use this information to commit identity theft which can have devastating consequences."
"There's a broad consensus that data security legislation is necessary," he added. …