the first draft of that was 1973. you do not want to freeze things by depending on the change i n the law. if we could geti nin a room and rewrite the law in two weeks, that there are many interesting things about the act. i actually think it was an untold success story. i know there would be a controversial notion, but one reason why we actually -- mckenzie just came out with a study about the internet and its effect on economic development, and it would surprise some people how well the united states does there. but there are fundamental reasons. one of them is research institutions. we just have human capital that knows how to use this stuff, which leads to us being the leaders in a lot of applications, which is really important. the 1996 act actually, in an interesting way, led to a lot

of buildup of infrastructure, which turns out to be really important, too. but the fundamental mission of the 1996 act was to allow long distance into local and long distance, and i think we all whether look back in history and say, turns out, that wasn't the biggest, most important issue from an historical perspective. that was one that kind of -- its roots lay many years earlier in the breakup of at&t. and, again, you know, it's why we need to be humble about how we approach these things and about grand designs and great visions. i think we can see a need for reallocation. i think we can see easily we need to transform education dramatically. the ipad and tablets create incredible opportunities to improve the way kids learn. and you're actually seeing that in some schools and hopefully we'll see it nationally. incredible opportunities to change the way we do healthcare. incredible opportunities to change the way we do public safety and job training. we need to focus on those things. >> let's talk about another law

where other people would like to see a rewrite. the cable industry, they keep saying that broadcasters have an unfair advantage and the 1992 act needs to be rewritten. what's your take? guest: it's always interesting on these things. you know, my take is that this is fundamentally an economic battle between two industries over how you divide an economic pie. my guess is that the most critical thing is not what is being debated, and here's what i mean by that. right now, the debate is what is the nature of the law. in a very important piece that the firm, sanford bernstein put out on the impact on poverty on the telecommunications sector, it's pointing out that we are now, because of what's going on in our greater economy, we're reaching a point where a huge portion of the population is not really going to be able to afford the kinds of things that

we think of as being almost essential. and if i was in the industry, this would be my biggest concern. the problem with the way retrans has gone is that it's constantly raised the rates for multichannel video. and the broadcasters align the cable guys, i'm not opining either one. i'm just saying the entry price is going to be out of reach for most americans. and so, there will have to be a change. i have a feeling that change is going to be driven by economics, not by change in law. it's either going to be driven by the economics of everyone finally realizing you can't start at $100 a month or whatever the starting point is. that number is probably a little high, but whatever the number is, it's too high for tens of millions of americans. or it could be changed through things like netflix over the top video. so that's why i think that debated is going to come. >> eliza, we have time for one more question. >> do you see following up to

that, over the top video as a complement or a substitute to traditional cable? >> absolutely a complement, no question about t. the question is what happens to the longer run. when i got to the f.c.c., wireless was a complement, not a substitute. now it's a substitute product. i think that will fundamentally be driven by economic decisions. i think by the producers, the creators, the studios, they could end up cannibalizing some existing revenues. but if they don't cannibalize their own, somebody else might cannibalize it for them. so that's the challenge. >> blair levin, thank you forgiving us your views. we look forward to having you back. eliza, thank you as always. [captioning performed by national captioning institute] [captions copyright national cable satellite corp. 2011] >> executives for sony and

epsilon testified at a house hearing examining the issue. this is a little over an hour. >> in the wake of massive data breaches at sony and epsilon, we are painfully more aware this same information can be used to falsify your identity. the time has come for congress to take action. the chair now recognizes herself for an opening statement. with nearly 1.5 billion credit

cards now in use in the united states and more and more americans banking and shopping online, cyberthieves have a treasure chest of opportunities today to get rich quick. the federal trade commission estimates that nearly nine million americans fall victim to identity theft every year, costing consumers and businesses billions of dollars annually, and those numbers are growing steadily and alarmingly. in recent years, sophisticated and carefully orchestrated cyberattacks designed to obtain personal information about consumers, especially when it comes to their credit cards, have become one of the fastest growing criminal enterprises here in the u.s., as well as across the world. just last month, the justice department shut down a cyber crime ring believed to be based in russia, which was responsible for the online theft of up to $100 million. the boldness of these attacks and the threat they present to unsuspecting americans, underscored recently by massive data breaches at epsilon and

sony. in some ways, sony has become ground zero in the war to protect consumers' online information. the initial attacks on sony's play station network and online enter statement services, which put some 100 million customer accounts at risk, were quickly followed by other attacks at other sony divisions and subsidiaries. the company, to its credit, has taken some very aggressive steps to prevent future cyberattacks, such as installing new firewalls, enhancing data protection, and enhancing their encryption capabilities, expanding automated software monitoring, and hiring a new chief information security officer. these are all important new safeguards, but with millions of americans in harm's way, why weren't these protocols already in place? one of the most troubling issues is how long it took sony to notify consumers. and the way in which the company did it, by posting an announce am on its blog. in effect, sony put the burden on consumers to search for information instead of

providing it to them directly. this cannot happen again. while i remain critical of their initial handling of these data breaches, as well as their decision not to testify at our last hearing, it's clear that since then the company has been systematically targeted bihacers and cyberthieves who are constantly probing sony's security systems for weaknesses and opportunities to infiltrate its networks. so, today, i'm not here to point fingers. instead, let's point the way, a better, smarter way to protect american consumers online. as i have said, you shouldn't have to cross your fingers and whisper a prayer whenever you type in a credit card number on your computer and hit enter. ecommerce is a vital and growing part of our economy. we should take steps to embrace and protect it, and that starts with robust cybersecurity. as chairman of the subcommittee, i believe that the lessons learned from the epsilon and sony instances can occur.

steps are being taken to prevented future -- what's done to mitigate these sacrifices, what policies should be in place to better protect american consumers in the future. consumers have a right to know when their personal information has been compromised, and companies have an overriding responsibility to promptly alert them. these recent data breaches only reinforce my long-held belief that much more needs to be done to protect sensitive consumer information. americans need additional safeguards to prevent identity theft, and i will soon introduce legislation designed to accomplish this goal. my legislation will be crafted around three guiding principles. first, companies and entities that hold personal information must establish and maintain security policies to prevent the unauthorized acquisition of that data. second, information considered especially sensitive, such as credit card numbers, should have even more robust security safeguards in place. and finally, consumers should be promptly informed when their personal information has been jeopardized. the time has come for congress to take decisive action.

we need a uniform national standard for data security and data breach note fakes, and we need it now. while i remain hopeful that law enforcement officials will quickly determine the extent of these latest cyberattacks, they serve as a reminder that all companies have a responsibility to protect personal information and to promptly notify consumers when that information has been put at risk. and we have a responsibility as lawmakers to make certain that this happens. and now i would like to recognize the vice-chairman -- oh, i'm sorry. i didn't see the ranking member, mr. butterfield, for his five-minute opening statement. >> thank you, chairman bono mack for your diligence. i've been in my office with 28 constituents, one of whom was a world war ii veteran and several vietnam veterans, and they wanted to take pictures, and you know that drill, and so i had to accumulate them as best as i could. but we're here, and thank you

very much for convening this hearing today. i certainly thank the two witnesses for your presence. mad a. chairman, thank you for holding this hearing on data security and the recent breaches that we have seen at sony and epsilon. last month, well over 100 million consumer records had been compromised as a result of those breaches, including full names, email, and mailing drearks the passwords, and maybe even credit card numbers. those two major breaches illustrate no company is safe and we must always operate at a heightened level of security and vigilance. no company wants its data compromised, and sony and epsilon are certainly no exception. sony was victim to hackers who stole nearly 100 million consumer records, and it took engineers several days to realize that there was an intrusion. during that time, hackers had full access to sony's servers. the breach that occurred at epsilon was very large and

involved the names and email addresses of about 50 of epsilon client with conservative estimates of 60 million records stolen. luckily, no critically sensitive information was stolen, but it easily could have. it is important that businesses do all they can do to protect consumers from having their information fall into the wrong hands. for many americans, shopping, paying bills, and refilling prescriptions, and communicating with friends and family, and even playing games are all done online. as people share more and more information online, the potential for personally identifiable information to be compromised increases exponentially. names, physical addresses, dates of birth, social security numbers, and credit card numbers are just a few of the types of information that hackers are able to access and exploit. while 46 states have laws requiring consumers to be

alerted to this, there's currently no federal standard to address this. there's no federal law requiring companies that hold p.i.i. to have reasonable safeguards in place to protect this information. without a federal standard, i am concerned that american consumers remain largely exposed online. and during the 109th congress and subsequent congresses, members of this committee worked in a bipartisan fashion to develop the data, accountability, and trust act to address the issue of data security. the data bill of the 111th congress by my friend and former chairman of the subcommittee, mr. rush from illinois, would have required entities holding data containing personal information to adopt reasonable and appropriate security measures to safeguard it. and in the end of a breach, to notify affected individuals. the data bill passed the house and the 111th congress, but our friends in the senate did not act. the data bill is a good foundation to improve the

security of ecommerce, something that is good for consumers and good for business. it would give american consumers more peace of mind about online transaction and make them more likely to continue and expand their use of online services. and so, madam chairman, we have learned a lot from the breaches at sony and epsilon, and i expect to learn more today from our two witnesses. i want you to know that i stand ready to work with you and our colleagues to pass a strong bipartisan data security bill like the data bill that we saw in the last session. i thank today's witnesses for their testimony and look forward to each of you. thank you very much. i yield back. >> thank you. sherman upton yielded his five minutes for an opening statement to me in accordance with committee rules. i recognize miss blackburn for two minutes. >> thank you, madam chairman. i will submit my full statement. a couple of comments. i think that the sony and

epsilon breaches raise a lot of questions with our constituents. what they're asking us is, number one, how do you minimize identity theft? number two, they want proper notifications from the vendors that they are doing business with. and number three, they want to see better coordination with law enforcement. they feel as if this is missing, and i know that as we address this, what we're going to have to look at is better government coordination, incentives for industry cooperation in this issue, stricter penalty deterrents against hackers, and a flexibility framework for risk assessment and breach alerts. as we do this, i hope we will continue to look at the threat of digital protection of intellectual property. the two are interrelated, and we deserve -- they both deserve attention, and i have to tell

you, with the new music cloud services from apple, google, and amazon, my concern is that we hold everybody accountability and secure the integrity of that system. i do want to highlight on the issue of illegal downloads and file sharing, my home state of tennessee has just passed and signed into law a bill that puts in place penalties for this. they have made this a crime in our state, and i'm glad they did it, because losing content to the rogue websites not only becomes an issue for the entertainment industry, but it exposes consumers to viruses, dangerous products, and increases the likelihood of data theft, so i thank you all for being here, and i yield back my time. >> i think the gentlelady and the chair recognizes mr. stearns for two minutes.

>> thank you. i think ads mentioned by the chairwoman, the f.t.c. recently reported nine million americans have fallen victims to identity theft. and i think it's puzzling a corporation as strong and as comprehensive as sony, you would think would have the ability to certify that their data is secure. as recently mentioned, over 45 states have independently adopted data breach notification requirement, but, of course, there's no law on the federal basis. so it's good that you folks are here so we can ask you some questions about, you know, perhaps if you know who the people were, what was the requirements that you set up in the corporation as extensive as sony, and do you think there's a criminal case here that should be prosecuted. so there's lots of questions, so i appreciate your coming here much as many of you know, i had a bill when i was

chairman of the subcommittee that we got out of the house. unfortunately, it did not get through the senate, and i've introduced it with mr. mathison again. it simply requires the federal trade commission to develop these regulations requiring persons that own or possess electronic data to establish necessary policies and procedures, as well as notification mechanism. so both of our wins today certainly have within their power to provide the software, the data security provisions that are necessary. i think it must be puzzling to them, as well as to us, why this happened to them, because considering how sophisticated both of them are, i've had the opportunity to talk to them in my office, so it's very appreciative that you took the time to talk to us, and we look forward to your testimony. thank you. >> the chair recognizes mr. olson for one minute. >> i thank the chairwoman.

as we all learned this morning, overseas hackers from china hacked into google email accounts. like sony, epsilon, and now google, my home state of texas has experienced a massive data breach in april of this year, with almost 3.5 million people had their personal information, their names, mailing addresses, and social security numbers compromised from the office of the texas comptroller. it was posted to a public server. there's a clear need for government, businesses, and citizens to work together to protect citizens' personal information. look forward to working with the chairwoman on comprehensive data security legislation. i thank the witnesses for coming, and i yield back the balance of my time. >> thank the gentleman, and turn our attention to the panel. we have a single panel of very distinguished witnesses joining

us today. welcome. each of you have a prepared statement that will be placed but if you could summarize your statements remarks, we'd appreciate it. on our panel, we have the epsilon data management l.l.c. also testifying is the president of sony network entertainment international. good afternoon and thank you both very much for coming. you will each be recognized for five minutes. to help you keep track of time, there's a clever little device in front of you, red, yellow, green, and when the light turns yellow, please summarize, as ulleds a traffic light. so ms. fitzgerald, you're recognized for five minutes. and please remember, the microphone, pull it close to your mouth, if you would. excuse me, would you pull the microphone up? >> better? >> thank you. >> good morning. chairman bono mack, ranking

member butterfield, and distinguished members of the subcommittee, my name is jeanette fitzgerald, and i'm the general counsel for epsilon data management. thank you for inviting me to present epsilon's testimony on data security. i hope that i can provide information today and going forward that will act as a helpful resource as you consider data security legislation that is in the best interests of both consumers and business. my full written testimony has been submitted for the record. i will summarize it here and hope to leave with you three main points. first, who is epsilon and how do we provide important data management services for our clients? second, how the attack of march 30 occurred and what we are doing to apprehend the perpetrators and improve our own data security. and finally, why we think national data breach notification legislation is important. epsilon is the leading provider of permission-based email marketing services. our clients, some of the world's largest and best known

consumer and financial services brands, count on us to send their email message toss their customers, the individual consumer. and as we all know, major brands use email messages to provide consumers with timely information about new products and sales and events, among other things. epsilon ensures that these email messages comply with applicable legal requirements, including can spam act. to earn and keep our clients' trust, epsilon became the first in the industry in 2006 to certify that its information security program complied with standards issued by the international association of standardization, known as iaso. they are known by many countries, including the united states, as identifying best practices for information security management. the standards are demanding, requiring over a year to earn

initial certification. we are proud that epsilon led the industry and that we have achieved yearly recertification, which requires proof that the company is improving its security program each year. notwithstanding our internal procedures and our compliance with these rigorous data security standards, as you know, epsilon was the victim of a criminal hacking incident at the end of march. since our information security program was designed to identify and respond to attacks and threats, we were quickly able to detect the unauthorized download activity, which triggered epsilon's security incident response program. our investigation, both internal and with an independent third party, is coordinated closely with the secret service and is still ongoing. but we can say that the initial investigation confirms that only email addresses and, in some cases, first and last names, were affected by this attack. again, only email addresses

and, in some cases, first and last names were affected. the details of what happened after the attack are in my written statement that has been submitted for the record. we are greatly troubled that this criminal incident has called into question our commitment to data security. but i want to leave with you four main points about what happened and how epsilon responded. our internal response to the attack was immediate. we isolated computers and changed employee access rights. second. our forensics investigation began within hours. we also reached out to law enforcement just as quickly. third, notification to our clients also occurred on the same day, and we released a public statement and posted additional information on our website shortly thereafter. and finally, now and going forward, we reiterate our commitment to working with the secret service, apprehending the hackers, and improving our own security.

companies like epsilon are on the front lines in the fight against data theft. we also believe congress has an important role to play in protecting consumers. to that end, epsilon fully supports legislation that would create a uniform standard for data breach notification. the current patchwork of over 45 individual state breach notification laws is confusing. a uniform national law, on the other hand, would provide predictability and equitable protections for consumers, regardless of their state of residence. chairman bono mack, ranking member butterfield, and members of the subcommittee, we look forward to working with you as the legislative process moves forward. i sincerely hope that the information i'm able to provide at this hearing is helpful to the subcommittee as it considers this critical issue. thank you. >> thank you. >> thank you. thank you for providing sony

with this opportunity to testify. my position is based in california, where we employ approximately 700 people in five offices around the state. i'm chiefly responsible for the business and technical aspects of sony's play station network and curiosity, an online service that allows consumers to access movies, television shows, music, and video games. sony network entertainment, sony online entertainment, another subsidiary of sony's, and millions of our customers were recently the victims of an increasely common digital-age crime, cyberattack. we've been reminded no one is immune from the threat of cyberattack, businesses, government entities, public institutions, and individuals can all become victims the attack on us was, we believe, unprecedented in its size and scope.

the underground group was associated with wiki leaks last year, massive denial of service attacks against numerous sony internet sites in retaliation for sony bringing action in federal court to protect its intellectual property. one or more highly skilled hackers infiltrated the play station and sony online entertainment. sony network entertainment and online entertainment have always made a concerted and substantial effort to maintain and improve their data security systems. we hired a well respected cybersecurity firm to enhance our defenses against the denial of service attack, but, unfortunately, no entity can foresee every potential cybersecurity threat. we have detailed for the subcommittee in our written testimony the timeline from when we first discovered the breach, but to briefly summarize, the first indication of a breach occurred on tuesday, april 19, of this year. on wednesday, april 20, we

mobilized an investigation and immediately shut down all of the play station network services in order to prevent additional unauthorized activity. after two highly respected technical forensic firms were retained to assist in the time-consuming and complicated investigation, on friday, april 22, we notified play station network customers via post on the play station blog that an intrusion had occurred. after a third forensic firm was retained on monday, april 25, we were able to confirm the scope of the personal data that we believed had been accessed. although there was no evidence credit card information had been accessed, we could not rule out the possibility. therefore, the very next day, tuesday, april 26, we issued a public notice that we believed personal information of our customers had been taken and that while there was no evidence that credit card data was taken, since we could not rule out the possibility, we had to acknowledge that it was possible. we posted -- we also posted this on our blog, and began to email each of our account

holders directly. we did not merely make statements on our blog. on sunday, may 1, sony online entertainment, a multiplayer online video game network, also discovered that data may have been taken. on monday, may 2, just one day later, sony online entertainment shut down this service and notified customers directly that their personal information may have also been compromised. throughout this time, we felt a keen sense of responsibility to our commirs. we shut down the networks to protect against further unauthorized activity. we notified our customers promptly. when we had specific, accurate, and useful information, we thanked our customers for their patience and loyalty and addressed their concerns arising from this breach with identity theft protection programs for the u.s. and other customers around the world where available, as well as a welcome backpackage of extended and free subscriptions, games, and other services. and we worked to restore our networks to protect our customers' interests. let me address the specific issues you are considering

today. note favegs of consumers when data breaches occur, laws and common sense provide for companies to investigate breaches, gather the facts, and then report data losses publicly. if you reverse that order asiaing vague or speculative statements before you have a specific and reliable information, you either send false alarms or so many alarms that these warnings may be ignored. we, therefore, support federal data legislation and look forward to working with the subcommittee on the particulars of the bill. one final point, as frustrating as the loss of networks for playing games was for our customers, the consequences of cyberattacks against financial or defense institutions can be devastating for our economy and security. consider the fact that the defense contractor, lockheed martin, and the oakridge national laboratory secured the nation's electric grid were also cyberattacked within the past two months. by working together to enact meaningful legislation, we can limit the threat posed to us all. we look forward to this

initiative to ensure that consumers are empowered with the tools they need to protect themselves from cybercriminals. thank you very much. >> thank you, mr. schaaff. i'd like to thank you for your unique insight into these disturbing data breaches. i'm confident that the lessons learned will assist us in our efforts to develop new online safeguards for american consumers. i'm going to recognize myself for the first five minutes of questioning. mr. schaaff, given the extreme makeover of the online security protocols, it does beg the question, why weren't many of these safeguards in place before the april data breaches? >> we believed that the security that we had in place was very, very strong, and we felt that we were in good shape. however, as the attacks indicated, the intensity and sophisticated of the hack was

such that even despite those best measures that we had taken, it was not sufficient. and as we recognized moving forward that the security knee that we're likely to be under from the hackers will continue, we've made additional commitments to enhance the security to our networks. in addition, we had been working for more than 18 months to expand the exafflet and security of our network. we're a new business, but a very fast growing business. >> let me jump ahead. you indicated, or sony in the may 3 letter, that you contacted the f.b.i. on april 22, which was two days after you learned a breach had, in fact, occurred. why did sony wait two days to notify law enforcement? >> my understanding is that we notified them as soon as we had something clear that we could report that indicated some sign of external intrusion that would be unauthorized or illegal. >> your testimony indicates four servers were taken offline on april 19 before you pulled

the plug on all 130 servers. can you tell us what information was different that was stored on those initial four servers? >> well, they were -- these were part of a larger network of machines, and we believe this was just the first entry point that the hacker may have used to get into the network, and upon discovering them, we immediately shut them down. but there were other servers that were also attacked by the hackers as well. >> some media reports indicate sony's servers may not have had up-to-date patches or firewalls prior to the attack. is that true? >> that's actually patently false. servers were fully up to date, fully patched, and, in fact, we had several layers of firewalls in place, also contrary to many of the things that you may have read on the internet. as you know, the internet ant always a reliable source of factual information. >> and you state that you believe the cyberattack on sony was unprecedented in both size and scope. can you explain why you believe it is unprecedented? >> well, we believe that the

sophistication of the attacks, the collection of activities that were undertaken, the period of time in which the hackers were carefully exploring the network, and then ultimately the scope of the service that was breached makes it quite a remarkable attack. and despite the deep security measures that we had taken, it was nevertheless insufficient to guard against these attacks. >> was the consumer data you held encrypted, and why or why not? >> the credit card information was encrypted. password, log-in, data was protected using cash functions, and these practices are in line with industry practice. >> thank you. >> ms. fitzgerald, would greater security requirements have prevented your breach, and if not, what added protection for your your new security measures providing? >> at the time, we had very extensive security, as i noted

in my opening statement and the written statement i've provided. we've continued through the investigation to evaluate additional things that may be done to strengthen both our net works and any of the access points. we have also decided to hire some outside experts to even evaluate the network further and see if there's anything else in different parts of our network that need to be adjusted. >> coming as a consumer who received multiple notices about your breach, there are also indications that consumers received notice of the breach from your business customers, for which, in some cases, they hadn't had a purchase or customer relationship for four or five years. do you ever purge your data, and why do you hold on information for as long as do you? >> let me step back a second to remind everyone how epsilon plays in this. epsilon is a service provider to the well-known names that you may have received notifications from, and they

had the relationship with the consumer. what data we hold is determined by the client, and the client then tells what to hold and what we do with it in terms of sending out notices is entirely up to the clients. >> do you advise them on when it might be a good time to purge data? >> it depends on what they want to do with the data, and there's also opt-out data that would have been held, because in order to comply with canned spam, you have to maintain records of who has opted out. so if two years ago you opted out and you haven't had any activity, that list would still be there, because you have to comply with canned spam, so we have to be able to duplicate or take those names out any time that we do a mailing. >> thank you. my time is expired. i recognize the ranking member, mr. butter feed, for his five minutes. >> thank you madam chairman. if i any time remaining, i'll

go over to ms. fitzgerald. i understand that your internal investigation has not turned up any evidence suggesting that credit card data was taken from the network. to me, that doesn't mean that the data was not taken, just that you haven't turned up any digital fingerprints that would allow you to know with certainty that it was taken, and i think you see what i'm taking there. how certain are you that the data was not taken in the attack? >> well, as you know, we have been involved in an intensive investigation over the past six weeks since the breach occurred, and we have looked deeply at the logs related to the databases, and in those logs, we have found no clear evidence that there was any access made to the credit card information, and we found plenty of evidence that suggests that that data was not accessed. that's the basis for today's

statements that we do not get the credit card information compromised. >> you mentioned the attack took place on april 19, that the playstations were shut down on april 20, and that you did something on april 22. help me with that, if you would shed light on what you did. >> on april 22, we were -- we were first notified consumers that there had been an intrusion. we're trying to understand what happened to the network, and we were actively beginning the investigation of that breach. and at the point that we were able to determine that there had been an intrusion, we immediately notified consumers so that we would -- so that they would be aware of what had occurred, even though at that time we were not yet able to confirm precisely which data may have been compromised. >> so is it your testimony you began the process of notifying

the consumers? >> we notified them of the intrusion, but then on april 26 we followed that up with an additional notification regarding more specifics related to the actual data that may have been breached, and we began immediately notifying consumers starting from that date via email. >> but april 22 announcement was simply on the internet. it was -- on the blog. >> the playstation blog is one of the most active and popular blogs on the web. it's currently ranked about number 20, just behind the white house blog. so it's a very, very expected place for our consumers to look for information. >> do you have any way of knowing how many consumers actually read the statement? >> i don't know the answer to that off the top of my head. we can investigate. >> but seven days after the breach was when official notification was issued. >> we were not able to

determine until the day that we had notified consumers. we were searching for evidence that would allow us to confirm the status of its information. >> actually, what's been interesting from my perspective is that we continue this investigation in the successive weeks, and as you hear me speaking today, some of our conclusions with respect to credit card information have changed somewhat from our original statements. and that change has occurred because of the continuing investigation. in the abundance of caution, we acknowledge the possibility that credit cards would have been taken in our announcements on the 26th, but as you can see, the situation changes as the investigation proceeds, and we felt it would have been irresponsible if we had notified consumers earlier with partial or incomplete information. >> but you have, based on your experience here, made some corrections and some adjustments in the credit card data that you collected.

>> we have been working to increase the security of the entire network. and additional controls related to credit card data have also been put in place, yes. >> and how do these measures compare to those for the other types of personal information that you have, the credit card data, the other information? >> yes, excuse me, the credit card information is the most highly protected and guarded information. it's all encrypted. and so even if it's taken, it's not likely to be useful to the hacker. >> is it true that user passwords were hashed and not he crypted? >> that's true t. is true that they were hashed using ash functions. that's an industry practice which is very standard. it's not an unusual practice at all. >> industry standard. well, why don't you use any type of encryption in your procedures? >> it is a form of protection that's very, very closely related to encryption, and i'm not an expert in cryptography,

i could answer the question in a more detailed manner. >> what is irreversible encryption? >> that's my understanding of the definition of a cryptographic hash. >> ms. fitzgerald, you state that your investigation revealed the log-in credentials of the employee who reported unusual and suspicious download activity had been compromised. and in layman's terms, i suppose, i assume this means the employee's credentials had been hijacked and used by a hacker to carry out the intrusion into your network and steal consumers' email addresses. can you please tell me a little bit more about what that means, that the employee's log-in credentials were compromised? >> well, what we had understood during the investigation is that the credentials were somehow used based on the logs, so want necessarily by that

person -- so not necessarily by that person to actually download that information. that's why we then immediately -- our system kicked into place, and immediately we saw that there was improper downloads, and so our security system kicked in, and we knew that there was a problem and we shut their access down and anybody else who had credentials at that level. >> thank you. my time is expired. >> i thank the gentleman and recognize the gentleman from florida for five minutes. >> thank you, madam chair. let me be sure i understand exactly what was taken. our understanding is emails were taken and the name of the peoples whose email was taken, is that correct? >> i'm sorry. was that to me? >> yes. >> yes. what was actually taken -- >> email addresses, first and, in some cases, first and last names. >> and that was all? >> yes.

>> and you said that you've notified all 50 to 75 customers, is that correct? >> there were about 50 customers of ours, clients that were affected. and we notified them. >> would you provide the committee the complete list? >> the names of those clients are subject to agreement that is we have with them, and we're supposed to keep those confidential. >> so we cannot -- >> so we notified them promptly -- >> no, i know you notified them, but you cannot provide the committee with these names, is that what you're saying today? >> not at this point, no. >> now, i have in our material that some of these people are j.p. morgan chase, capital one, citibank, best buy, verizon, target, home shopping network, is that part of them? >> i recognize most of those names. >> they are people that have huge number of people. >> so the impact of this 50 to 75, we cannot even comprehend

how many verizon has, so can you extrapolate? not telling us in detail, but if verizon is one of your customers and you had a breach with emails and names zrk that mean that perhaps millions of names from verizon had been breached? >> there could be -- >> just yes or no. yes, ok? >> yes. >> now, with sony, the question is, as i understand it, the password for the sony play station was breached, is that correct? >> well, we believe there were a number of different types of information accessed, including first name and last name, address, date of birth, log-in address. >> for the sony play station? >> for the playstation network, yes. >> and what about their credit cards? >> as i said, we had originally stated that there was a possibility. we could not rule out the possibility that the credit

card information had been accessed. at this point in time, we do not see any evidence that it has been. >> when you look at the person's credit card together with personal information, his password for sony play station, would one person have all of that breached for that one person, so is it segmented so somebody else got their credit card, personal, or is all this information together? >> it's difficult for us know it exactly which data was taken, but it is like that will they would have been taken together. but we don't know for which accounts that would have been. >> and what is the conservative estimate, the number that people were affected by this breach? >> so we've announced that there were approximately 77 million accounts that could have been accessed. when we took the network offline, all our customers were affected for the period of time that the network's been down, but that's part of the reason why we provided the identity theft insurance, identity theft protection program, and these

welcome back programs, was to appreciate and acknowledge the loss of access to the network that our customers experienced and to address the concerns they may have regarding the loss of their personal information. >> is it true that you brought suit to protect your i.p. against the hackers of playstation 3? >> that is true. >> why did you bring this suit? >> well, just like the music industry and the movie industry, the playstation business is built upon intellectual property, content providers, invest millions of dollars to create titles that we then helped them to distribute in our business and the employment of literally tens of thousands of people around the country. >> knowing what has happened to you with this breach, would you say that you would do it again. >> i'm sorry. i didn't hear the question. >> knowing what has happened with this breach, would you go ahead and have done that suit again in hindsight? >> well, i think this is one of the great challenges right now is how do companies protect their content businesses. i mean, i think we made the

right decision. did it have consequences? it appears to have had some fairly negative consequences for the company. but if we hadn't done something, i think it would be playing out later on. i think this is a big issue. >> now, consuming we have federal legislation, do you think federal legislation to address security breaches would help? because i understand both of you are in states where we have state legislation, and that didn't seem to necessarily force you to have a secure data security department. so why would federal legislation make it better than the states on already pass? you didn't comply with the states. >> well, i think that the issue regarding the states' rights -- i'm not a lawyer, let me mention up front, i'm not a lawyer. but my understanding is there are a variety of laws in a number of states, but the laws are often and seemingly in conflict, and they can create very complicated situations for us to understand how we should behave properly with regard to

notification obligations. regarding the security of the network, i think the evidence of epsilon, of sony, of many other companies that have been reported in the news in the last several weeks indicates that despite spending millions of dollars to secure your networks, despite all of the best methods known to us, our networks are not 100% protected. it's a process that requires continual investment, and we do that, but i think without additional support from the government, it's unlikely that we will all collectively be successful, and that will threaten the livelihood of the internet, the growing internet economy. >> time has expired. the chair recognizes mr. guthrie for five minutes. >> thank you, madam chairman, for having this hearing. i appreciate it very much. so, just follow up on what mr. stearns said. the patchwork of state laws, the different jurisdictions complicated your ability to respond, you didn't say that,

is that what i heard? >> i responded to the issue about the notification obligation. >> right. >> there are some conflicting obligations there. >> sigh federal standard would be -- >> that would preempt the states would be extremely helpful. >> i just want to get the nature -- so, epsilon is a vendor for you. vendor for sony. so did the hacker go to epsilon? or sony to epsilon to get to the other? >> let me clarify. these are two completely separate breach events. so the activity at epsilon was completely unrelated to, as far as we know, what happened at sony. >> so you're not a vendor with epsilon. oh, ok. so the other customers -- oh, ok. a apologize. so your other customers, they came -- epsilon, they got to your system, and then through your system, were able to -- at least the companies you notified, verizon that was mentioned earlier, that's how

that breach worked. >> so as a vendor, and our ability to send out email addresses on behalf of those clients requires us to maintain those email addresses for them. that's how the hackers got in and got that information. >> ok. has sony been victim before of any type of breach? if so, how does that -- not to this level, i know. >> we certainly experience a constant level of fraud, and we are under regular probing bihacers and others. i think it's a standard part of anybody who's in the internet business these days. >> for both of you, too, i know i'm manufacturing background, and we did iso 9000. they have 14,000 standards for environmental, and they're a good practice to follow. but as we leave a lot of interpretation to the businesses, because otherwise they're formed by committee, and it would be difficult to

change every time something needs to be changed. i'm not familiar with this particular standard that you're talking about, but is this sufficient if you follow the i.s.o. standards? i guess my question is, your industry is so changing, fast changing, that when you're in the automotive industry, you put a standard in place, it takes a while for things to innovate, the standard is out of date. it appears to me when i saw i.s.o., it would be difficult for them to keep up with the changes in the industry, or the changes -- i guess i'm saying the ability of people to hack to innovate to find new ways into your system. so i guess i.s.o. being certified, do you think it's sufficient? >> we don't use the i.s.o. as the only thing we do. we have lots of audits by our clients. we have other audits we have to do. and frankly, we have our own security program, where we're continually trying to upgrade our systems and to make sure that we make things as tight as

we can, but the hackers are very sophisticated. this wasn't some guy in a garage just coming after us. these are sophisticated guys. i've talked to the secret service enough times to know we're not the only one and that they're working with the f.b.i. and there's a concerted effort to go after these guys. >> i would concur. i think these guidelines and standards are important for the industry to move forward, but they are far from sufficient. if they had them sufficient, epsilon wouldn't be here. and i think that we are all under attack, and without additional measures to be taken and without kind of constant renewal of our practices, it's not going to be sufficient to fight the latest attacks. >> ok, thank you. >> i guess i'm concerned about is i know sony, any time you

have to spend money because somebody did something illegal, that's an inefficiency to everybody, but the two or three small business in kentucky that maintains their clients' files, and just having the resources to be able to respond, that's to protect their client, to protect their customers. do you have any estimate of how much money just these events are going to cost your firm? you know the economy overall. >> yeah, i believe we've made statements publicly estimating a cost something in the range of $170 million for this particular incident. >> as you note, for smaller businesses, number one, the ability to secure their networks as effectively is left because of the economics of that. and the evidence that i've seen in various reports suggest that the prevalence of attacks on small and mid-sized businesses is even higher than the successful attack is even higher than with the larger

companies. it's a scary situation. >> i yield back to the chairwoman. >> i thank the gentleman. and the chair notes that we are being called to the floor for a vote. my intention is to try to get through two more member questioning of five-minute segments before we recess. so the chair now recognizes mr. olson for five minutes. >> i thank the chairwoman. and again, i thank the witnesses forgiving us your expertise and time tosmede as i stated in my opening statement, my home state of texas experienced a serious and troubling data breach early this year. names, addresses, social security numbers, and in some cases, birth dates and driver's license numbers of state retirees and unemployment beneficiaries were posted, unencrypted on a public server. in response, our state attorney general and f.b.i. have launched a criminal investigation into this data breach. unfortunately, these kind of breaches are happening more fectly, and they cost

businesses tens of billions of dollars actually. the federal trade commission estimates nine million individuals in the united states have their identity stolen every year. this is equivalent of approximately 17 identities stolen every minute. that means that during the course of this hearing, the followup might take five minutes, 85 i.d.'s across this country will have been stolen. in response to the texas data breach, the comptroller of public account launched a website called texas safeguard, which was created as a tool for texans to receive up-to-date information about the breach, along with recommended security steps to take. they actually put a toll-free number up for folks to call, and the comptroller is offering credited monitoring at no charge. there's also a frequently asked questions page which outlines six steps people can take to protect themselves. but this burden, s placed upon these victims of this breach, and they've got to spend their own time enrolling in credit monitoring, placing fraud

alerts on their credit lines, credit files, requesting credit reports and so on and so on and so on. given the breaches your companies have experienced and all the heartache and lost revenue, all the upset customers, ought resources you had to expend to determine how these breaches occurred, don't want to put words in your mouth, but you do think there's a clear need for comprehensive federal data breach notification law, one that would create a uniform standard and preempt the patchwork of state laws. >> i do believe that it would be great if we had a federal data breach notification law that did preempt all of the state laws so it would be state forward and companies would know exactly what they needed to take care and who they needed to notify and when they needed to notify. >> sony is also very supportive of such legislation, and we would be very happy to participate and help in the formation of that legislation. >> thank you.

and ms. fitzgerald, why did you choose to contact law enforcement? the f.b.i. and secret service, as soon as you became aware of the incident. and is this a typical response for epsilon to get law enforcement involved. >> well, we knew pretty quickly there had been data that had been download and had taken by somebody who wasn't authorized, and there was, it was a criminal act in our mind, and so we went to look for the right law enforcement to help us go after the bad guys. >> ok. and for you, mr. schaaff, i know at playstation had one heck of an april, but why did you conclude that notifying customers via the playstation blog was, as you stated, one of the best, fastest, and most direct means of communicating with customers? >> in the years that playstation has been in business, we have managed this blog, and it has become a very, very popular source of information for our customers about new game titles and all kinds of information related to

playstation. and we know that it's a good way to get a message out to customers quickly. of course, that wasn't the only way we communicated with our customers. we did follow up with public announcements through other channels, as well as email, direct emails to the consumers following the breach. >> ok. one final question about sort of how you prepared for this. i mean, i know, ms. fitzgerald, you said epsilon had plans in place ready to go if some sort of breach happened, and i assume that's the same for sony. >> absolutely. >> i mean, is there a specific entity within both your companies that's proactive, somebody you've got in your company that sort of looks at your security systems and tries to penetrate it, tries to find the weaknesses, sort of a proactive approach instead of reacting to a breach by recognizing weaknesses within the company? >> a successful approach to security involves proactive, as well as reactive approaches. and we definitely have those kinds of resources in place in my company and in