>> you been watching booktv, 48 hours of book programming beginning saturday morning at eight eastern through monday morning at eight eastern. nonfiction books all weekend every weekend right here on c-span2. .. >> and a procedural vote on president obama's nominee for

deputy attorney general. >> this week on "the communicators," representative mary bono mack talks about the theft of millions of consumers' personal data through computer hacking into sony's playstation network and what she'd like to see government do to protect consumers. >> host: congresswoman mary bono mack, one of your key questions yesterday at the sony data breach hearing was, why weren't sewn customers told earlier? are you satisfied with the answer that sony provided? >> guest: not yet. and i think sony, of course, has some legitimate concerns and questions. but for me as a policy maker and a consumer, also, i think the consumer always should be alerted first and foremost on any data breach like this because only they know what data might have been exposed. so, you know, i think if sony would have come out and testified at the hearing, we could have got a lot of answers

that would have been very helpful. frustrated, concerned, we'll follow this, we'll see why they say consumers didn't have the right to be informed immediately, see if there's a legitimate reason that they actively were still protecting consumers by their actions or if they were sort of creating greater jeopardy for their consumers. >> host: now, the fact that sony provided written answers, was that satisfactory? if you get asked to testify at a hearing by congress, chances are you're going to come, correct? >> guest: well, you would hope. and, again, i could understand sony's concern they would be scrutinized very heavily and have some pointed, tough questions that members would have asked. you know, reading the answers there's still more questions that come out of their, you know, the answers that they provided to us that i think we need to continue to pursue. and, again, recognizing, you know, sony has some speck haitian about what happened, and they are contending they're victims here, but it's a two-tier victimization process. there's the sony side, and then there are the 100 million

consumers who are also potential victims here. so the, you know, the letter, the well-worded letter and quite detailed, but it still presents a lot more questions than it does answers. >> host: in fact, the chairman of the board of directors of sony usa wrote this to you: >> host: do you agree that the company has been acting in good faith? >> guest: there we have, but again, remember, the way many which sony notified their customers was by a blog post. so it was a passive

communication to the consumers rather than an active, hey, everybody, let you know what happened here. but only the consumer might -- you know, something as simple as, oh, i use that password that i use for everything, and somebody just hacked into it? a lot of people might think, oh, gosh, they have my records now. in my view, i feel safer because sony let me know this happened immediately. so the questions that all come out of this and the letter, the very long-worded, you know, what did you know and when did you know it. but for me when sony says we were protecting the consumers, again, the consumer might want to know, wait a minute, you know, i too have the right to protect myself, and all i'm asking and all i'm saying as a policymaker is should they know sooner, should they be required or should they do their best to notify given the consumers' idea of how they would protect themselves rather than sony being the decider of how they're going to protect consumers. >> host: representative mack is the chairman of commerce,

manufacturing and trade. she's our guest on "the communicators." also joining us, juliana gruenwald, tech and telecom writer for "the national journal." >> host: hi, congresswoman. >> guest: hi. >> host: so what kind of a posting should they have made? what would you like them to have done? >> >> guest: well, of course i would have liked -- to me, it seems they could have let people know a hitting bit sooner. they contend and others will contend that a timeline they need to allow law enforcement to come in and for them to do their forensic analysis on what actually happened. but you also have to ask yourself does, in fact, by giving them a lengthy time period put more people in harm's way? so i don't know that i can identify a specific time or manner, but i can speak to the voices of the consumer who are saying, wait a minute, i have a right to know as soon as possible as well. you know, in this day and age, and i just said pass i versus

active notification, not too many people would spend the time perhaps if they're not logging on or gaming to go to a blog post. but if they get an e-mail, chances are they're going to get that in a much more timely manner, and then they can make the decision -- again, i'm using this as an oversimplification -- but if they say, holy cow, i've used this password for everything, and they can spend the rest of the day changing the pass word. it's an example of why these questions are very important x the answer is we try to get out of them. i honestly don't know there's one set answer. >> host: this day the breach is just one in a string of many in recent years including, you know, last month one i epsilon which is a major provider of e-mail services for numerous customers. some 40 states have passed data breach laws. this is not a new issue. why do you think congress has

not acted yet? >> guest: first of all, it's a growing issue. and when you think back to 2005, you know, a handful of years ago, the data breaches were smaller and they involved hardware. remember the cases years ago of hard drives going missing from our nuclear laboratories. data breach is taking on a whole new role. but these are somewhat silent crimes for many people, and even as a lawmaker you don't hear about this until it's too late. and nobody knows how awful it is to have your personal identification hijacked and used for dubious purposes until its actually happened. so i think if the sony case, these hundreds of millions -- this hundred million records being out there and being potentially breached and harmed, i think law lawmakers could hear from people and they'd be more actively engaged in the issue. >> host: are consumers adequately outraged? if people are still handing over

their personal data to these companies. do you think that's maybe been -- that consumers just haven't gotten worked enough about it? >> guest: well, and that's a great question. and i think it goes to the whole internet experience. you know, we believe that when we are asked for our information, that there's reasonable protection in place. and -- but it's getting to the place when you hit the enter key, you're crossing your fingers at the same time, and that's not a good enough policy. we want to belief that those people -- believe that those people that are asking for information take great lengths to safeguard it. i don't know that consumers are going to be outraged until it's actually happened to them. but these crimes can appear long down the road, and what's worse about them is they can compile. people might think that the credit card i used on sony might be compromised, but other data that they might have might have been hacked, can paint a pretty full picture of who you are elsewhere. so the length of the crimes that could be committed, i think, are

unknown. >> host: representative bono mack, are you considering -- what kind of legislation are you considering when it comes to data breaches? how do you approach that? >> guest: well, there have been a number of efforts in congress, some have been successful getting out of the house. there's been a very good bipartisan effort. cliff sterns from florida has been a leader on this, bobby rush has been a leader on it. we want to continue to build on the work ha they have done. it's always better, you don't have to reinvent the wheel, but you can sort of, you know, take advantage of other people's work and move the ball forward. again, it's a matter of finding the fine lines. we want to protect the consumer and also enable and enhance e-commerce. there's a very good chord that's been struck, so piggyback on that and make sure we're doing our best to protect consumers, yet not get in the way of e-commerce. >> host: could you foresee federal requirements for e-commerce companies such as

sony? >> guest: well, i think the question would be federal requirements in lieu of all of the patchwork of state requirements. and many and i believe most would argue it would simplify things to have the one set of rules to play by rather than the patchwork of the at least 40 some odd states who are currently doing it. so the federal role would be probably no greater, and some would say the states should still have the ability to do more if federal government doesn't do enough. but that would be, that would be the approach. >> host: is your approach, congresswoman, a bipartisan approach? is there partisanship on this issue? >> guest: yes. there's terrific bipartisanship on it. my goal would be to get something between the house and the senate, but that in it if you look at the people who are engaged in it, it would be, i anticipate, a very good bipartisan product. >> host: if i'm not mistaking, the rush -- mistaken, the rush

bill introduced last year required an adequate level of security and notification of a data breach. based on the hearing yesterday, is there anything you would tweak or, you know, is there any concrete ideas that came out of that that you think need to be added to the bill at this point? >> guest: there were some great comments out of the hearing yesterday, and i think on all counts the hearing was a good one. the questions that came up to me not having been really as on be front line of the negotiations before, but some of the questions that people are asking now are new since that bill. geotracking. justin brookman brought up the fact about why it can be good to retain some of that data, why people might want to do that. so, again, it goes back to the question, how carefully can you craft legislation, how can you not, basically, have too broad a brush stroke that creates a

bunch of unintended consequences? a lot of great suggestions yesterday, a lot of things that make you have to pause and think and consider, really, the consequences of all of the legislation. >> host: do you think it should be, should move on its own, or should it be part of a broader private baseline? i know that in the senate there's been a bill introduced, and there's been talk of a baseline privacy bill in the house. >> guest: well, i'd like to see them move separately. i think a lot of the issues are different, yet they sound similar. quite truthfully, they can get complicated and difficult to talk about. the data breach and the data security that we're talking mostly about with sony is a little bit different than the other privacy issues. and they both, again, have far-reaching consequences if you don't consider them carefully. so the reason i would like to see them separate -- that doesn't mean they couldn't be joined together eventually and, of course, whatever you have to

do to pass a law sometimes you have to do -- but the issues are somewhat, somewhat different, and it's good to look at them in a different light. >> host: congresswoman, you brought up the geotracking, especially when it comes to apple. is there a big brother quality in private companies having that kind of information about people? >> guest: well, there sure can be, and that's a great question. and, to me, it gets back to what is the consumer aware of what's happening to them, them, and doy have the right to opt in, opt out? and, again, for the consumer to understand the implications for themself. and geotracking, i think, gives everybody kind of a yuck factor. like you're thinking of the guy tracking you around in the trench coat, and there's a little bit of a yuck factor, and you can understand the harm, the physical harm when you think of tracking and geotracking. yet so many of the things we do and the conveniences we have

today are because of geotracking. we love our gpss. i, you know, when my daughter got her first car, i couldn't imagine she didn't have a gps device. so, again, it's to carefully consider that the consumer's empowered with the knowledge of exactly what's happening, how they're protected and if they feel it's something they want in their lives or not. >> host: this is c-span's "communicators" program. our guest is representative mary bono mack. we're talking about the data security breach hearing that was held this week in her subcommittee. juliana gruenwald with "national journal" is our guest reporter. >> host: getting back to the tracking issue. do you have overall concern about web sites tracking you as you go place to place on the web, you know, in order to target ads to you? do you think that's something that should be regulated?

have you had any thoughts on, you know, proposals for do not track? is that something congress should mandate, or should that be left to the private sector to lead on? >> guest: that's a great question. i am looking at it and, again, trying to separate good practices from bad for the consumer to make sure their online experience is a good one and that the data collected on them is something they know and understand and can participate in. for me, i know the industries involved -- and there are quite a few industries -- they're all looking at this themselves to make sure they're not overstepping their bounds or recognizing if they do, congress is going to come in the. so right now it's asking the questions, and letting people understand and congress understand, too, that there's a difference between the advertising, how it's delivered, the targeting that goes on and, again, the collection of data. you know, it was interesting this morning to turn on the news and see that they are reporting

polling data from a yahoo! search engine that released the demographics of who's searching for bin laden. and so the data that's collected, it's interesting and it changes, and with the targeted advertising the questions are many, and the issues are complicated and complex. and, yes, we are definitely looking at it. >> host: the federal trade commission has said they don't believe self-regulation has worked. they said that in a report they released in december. do you favor congress passing baseline privacy protections? is that something your committee's going to work on? >> guest: again, we are looking at it. >> host: do you hear from your constituents on the issue of online privacy? >> guest: very seldom. you'd be surprised. what i am enjoying is sort of the other side of that, how our constituency is really moving to the internet. and they love the fact not that this is a shameless plug here, they love the fact that i'm on twitter and facebook, and they

love the fact that they can interact with us that way. so we're hearing more and more from our constituents that way. and i think by that nature those folks who are on the internet are more likely to sort of comment on that. but the greater whole i am not really hearing a lot from my constituents at this point. >> host: your panel has shared jurisdiction on privacy with greg walden's subcommittee. do you have a sense of who would take the lead on that issue? >> guest: well, probably i would say me. i don't know what greg would say. [laughter] i would tell you that greg and i are great friends and have been seated together on the energy and commerce committee for many years, and we will gladly recognize the boundaries of the subcommittees and the jurisdictions and work together to the very greatest of our ability without any problem or with any, with any seams in between the two subcommittees. my subcommittee has jurisdiction

over the federal trade commission, as we've said, and greg over the fcc. so the issues would break down along those lines. >> host: congresswoman, epsilon was also invited to yesterday's hearing. they didn't show, nor did they provide written answers. is that correct? >> guest: we do have a letter from epsilon. >> host: okay. were you satisfied with what they had to say? >> guest: again, a lot of this is what where thai protecting themselves -- they're protects themselves, and i understand that. but i'm not satisfied because we don't really have the answers of how do we move forward and make sure this doesn't happen again and happen continuously and become, you know, basically, an impediment or a barrier that prohibits people from getting online whether it's shopping online or surfing the web, whatever their purposes are. i'm not satisfied because i think the answers are important. and this is not to point the fingers. again, epsilon and sony are victims, but -- as well. but, again, we need the answers

beyond that on crafting wise policy and holding their feet to the fires, to the fire. going back to sony. in their letter and their response to the congress, you know, the steps they say they've outlined since the breach are common sense. greater encryption, you know, having a specialized person to oversee security. the four things that they've talked about put into place, one would think they should have done a long time ago, especially when you're guarding 900 million -- 100 million customers. you'd think these basic items they would have done long ago. so the questions, the answers, the testimony, for me, are about moving us forward in a way that makes people safer. >> host: one of the things i noted in the sony letter or, i think, in your testimony was that not everyone's credit card was active or they got ahold of everybody's credit card. well, isn't it sometimes the date of birth and some of the other personal information that's more dangerous than a credit card? >> guest: you've asked a very

important question, and even sony cannot say whether or not credit card numbers were taken. but all of those other questions, it's not too hard to paint a picture of a person in their entirety by gathering data. and every bit of data about you paints a greater picture of you. and, you know, the security questions that are asked now, worth asking the question, you know, now you log on, and they say what school did you go to, what was the name of your first pet, you know, you're creating more of a database that is a you that is out there. so the questions are very good and very valid, and, you know, there's a children's toy that you can get. don't ask me how, but 20 questions. you think of something in your head, whatever it is -- a bread box. and the gizmo asks you 20 questions, and it will identify that gizmo every time. and i think about that when i think about our online safety, on how many questions do you need to have out there in

cyberspace before you've created a real person and a real identity that you can, who knows, open a mortgage with, a credit card with, whatever it is you want to do? get a passport, get -- you know, those questions. >> host: and when it comes to your constituents, have you had constituents contact you and say my identity has been breached, and i need your helpsome. >> guest: yes. >> host: what is the process like for you as a congresswoman? >> >> guest: well, first of all, i would have one of my caseworkers do their best in every congressional office, and this is a good thing to bring up. we have caseworkers who help with all of this as far as interface with the federal government. but i can tell you it's a nightmare for people, and the amount of time and effort that is spent for people to clean up their identity or their credit history, whatever happens to them. it can be just countless hours. and to add that, to take that out of somebody's life is quite a hassle. and sometimes, as you know, it can take a long time or a long time to clear up these things

once they're negative. >> host: as we move closer and closer and further and further into cloud computing, how does that play a role in security? >> guest: well, that question came up yesterday in the hearing, and the ftc contended that the cloud, you know, depending on where the server was located, didn't change things. but cloud computing is, it's, again, it's a great thing. it's a very useful tool, and we should kick around what it means to be based in the cloud. you know, t interesting now is how many of these services offer like a server with you can store all of your data, all of your files. there are even programs where you can have them keep ahold of all of your pass words in one convenient place expecting them to protect you and protect your data. and i think that's the question, again, consumers expect, you know, based on how much legal weight and authority is behind an agreement when you sign on with any of these guys. so i don't know if it's

cloud-based or not. the questions, i think, are pretty much the same. >> host: what should companies do to make consumers whole when a data breach happens? should they be offering credit monitoring? help, you know, if there was an id theft as a result of their information being stolen, what do they need to do? what's their responsibility beside just letting you know it happened? >> guest: great question. i believe the company that had the breach occur should do everything they possibly can to make sure the consumer doesn't have anything negative happen to them. and i know sony has offered credit reports and credit checks and trying to be helpful in that regard. hopefully, they will actually have some caseworkers of their own who if this should happen toll become a -- to become a problem where they can help take some of the burden off people in man hours. people are working 40, 60-hour workweeks, and now you're spending ten hours that week trying to clean up some mess,

perhaps sony and others could offer help in that regard. the way my caseworkers do. >> host: congresswoman, have you learned anything from the secret service yesterday? >> guest: i did, but it's secret. [laughter] of course. you know, and what's interesting and even i, as the chairman of the committee and the additional jurisdictional aspects of when is it fbi, when is it secret service, the level of involvement, and, you know, to recognize, too, that this is one area of cybersecurity that is important. but this really can go on to a matter of national security. and to recognize all of the layers and the entities that are, that are involved. so trying to get those answers from secret service, i think, was the most helpful for us. not that i clearly understood what he was saying about all of when you would talk and, you know, the other. but you can tell there are a lot of very serious, very capable and very good people who are focused on this issue, and the

secret service clearly made that known. >> host: so on the flip side, on the criminal side, are the penalties strong enough right now as they exist for hackers, and if they're from out of this country, what do we do? is. >> guest: well, i don't know that i have that answer. and this is a worldwide issue, and the hackers are often times, as we know, from out of our country. i think it is something that we should explore to deter people from, from just being hackers. it's interesting because sometimes these folks are just doing it for the malicious side of it because they can, because they're brilliant. i think when you're out there in the world saying we've created such a great system that nobody can hack into, you're inviting other brilliant minds to say, hmm, let's test that and see if it's right. so there have to be deterrence for people doing it, and they have to be tough and severe because it's happening more and more. >> host: what did you think of

sony's answer that this happened because they were challenging illegal copyright laws? >> guest: sony -- they have intimated that might be why, and i don't know. and they can speculate that, but they haven't proven it yet. i think sony's effort are is to -- there is to play the victim and to say, hey, we're the victims of some other bad guy. and i think it is important to remember that, that there's somebody out there who has decided to target sewn think and who has decided to do that. so there are two sides to this. the hacker hacking sony and sony protecting the data or sort of the recklessness with which they might have held the data. but sony contending that it was this group that is going after them because they had a lawsuit based upon intellectual property protection. i think the point is to put out there in the consciousness that they are the victim too. so -- but they have to still prove that point. >> host: do you anticipate more hearings, and do you think sony or epsilon or any of these other companies will show up?

>> guest: i do -- >> host: can you compel them? i don't know if you guys have speak subpoena power. >> guest: we could, but sony and epsilon have indicated they would not cooperate further, so i believe that if we asked sony or epsilon back, i believe they would come. it's my intention to stay on top of the issue and to stay engaged and to read and to really be focused on it at the point of calling sony and epsilon back. we'll see. but neither one has said, absolutely not, no way, no how. >> host: the u.s. does not have a single agency in charge of data protection like europe. is it time? >> guest: i don't know. and, again, i'd probably defer some of that to judiciary committee or another, or even homeland security. because the issues are varied, and they are different, and i think just by that nature i would think we would have them

compartmentalized a little bit more. but i haven't delved into them enough to know. when you look at some of the cyber attacks elsewhere around the world, they're not, you know, based upon necessarily what the sony breach was based upon. sometimes they are security related. so just by that nature, i'd think you'd keep those separate. >> host: juliana gruenwald. >> host: another issue you've been active on is internet governance, and you've expressed concerns of the united nations wanting to take over some fitness u fitnesses of -- functions of the internet. can you talk about what your interest, sort of how you got interested in that issue and what your concerns are? >> guest: sure. i think we as americans right now must take great satisfaction in watching around the world as people start expressing their voices and pleading for democracy. and so often now we're hearing that it's coming because of their efforts on twitter and on facebook and whatever social

networking they may use. and i think it is in our best interests that we continue to support the internet as a ground-up-based platform where the people are the voices. i have a fear of the united nations being a regulatory body that has the right to say anything about the internet. what our resolution was doing was expressing that the united nations should not be involved in regulating the the internet. to me that is frightening. >> host: representative mary bono mack is in her eighth term in congress, she represents the palm springs area of california, and she is the chairman of the energy and commerce subcommittee on commerce, manufacturing and trade. thank you for being on "the communicators." juliana gruenwald has been our best reporter. >> next on c-span2, author and professor walter russell mead discusses foreign policy debates of other nations. then we'r