Prompted by the massive data breaches of Sony’s networks, the Subcommittee on Commerce, Manufacturing and Trade of the House Energy and Commerce Committee held a hearing May 3 on data theft and its effects on consumers. One of the witnesses was USACM Chair Eugene Spafford. The committee has a webpage on the hearing, which includes links to an archived webcast and the written testimony of all four witnesses. You can also read Dr. Spafford’s testimony and the USACM press release covering it.
While Sony and Epsilon (an email marketing company that recently suffered its own data breach) were invited to testify, they declined to appear. This presented an excellent political opportunity for the members of Congress at the hearing, and the subcommittee chair suggested in press reports she may again invite Sony to testify. The witnesses that attended were from two government agencies heavily involved in data breach prevention and investigation – the Federal Trade Commission and the Secret Service, and legal and technical experts that provided useful context to both the recent data breaches, and the longer-term problems in this area (publicly reported data breaches have affected at least 600 million records since 2005).
The Energy and Commerce Committee has worked on data privacy and data breach legislation in the past, and may try to use the recent breaches to push their legislation further through Congress than they have been able to before. The witnesses all supported some form of data privacy legislation to address not only data breaches and notification, but also effective information security practices. The large majority of these breaches could be mitigated by better implementation of best practices in this area. Many of the questions and answers reflected the long work of this committee in the area, though their questions suggested that companies have not been effective in communicating why they may not be able to immediately notify consumers in the event of a breach.