Sony defends PlayStation security practices

A Sony executive on Thursday defended the time it took his company to respond when the PlayStation Network and online entertainment services were hacked in recent weeks, resulting in the loss of personal data on about 100 million users.

Sony Network Entertainment President Tim Schaaff also denied reports that the company had failed to install security patches or firewalls and said Sony has moved quickly to shore up its systems. Still, he said, despite the millions of dollars his company and others spend each year on computer security, they will never be 100 percent protected given the constant barrage of attacks they face.

"Despite taking what we believe were extremely appropriate and substantial steps to build a safe and protected network, hackers were able to get into our network," Schaaff told a hearing of the House Energy and Commerce Committee's Subcommittee on Commerce, Manufacturing, and Trade.

Hackers stole the names, addresses, birth dates, usernames, and passwords of PlayStation and Sony online entertainment users. After initially reporting that hackers also might have obtained some credit card information, Schaaff said that Sony now believes no numbers were taken.

A separate breach at e-mail marketer Epsilon resulted in the loss of e-mail addresses and some names of customers of about 50 of Epsilon's corporate clients, Epsilon's general counsel, Jeanette Fitzgerald, said. She declined to release the names of those clients, but some of the firms have been widely reported to include major companies such as Best Buy, JPMorgan Chase, and Walgreens.

Last month, both Sony and Epsilon declined to appear before the panel. Subcommittee Chairwoman Mary Bono Mack, R-Calif., criticized their written answers then and was unhappy that they did not appear. But she said after Thursday's hearing that she is finally satisfied with the answers she got from the firms.

Both companies said they would support legislation setting a national data-breach notification standard that also would preempt the patchwork of state laws related to data security.

Mack said her staff will soon start drafting data-breach legislation that would require companies that hold personal information to provide adequate security for that data; provide enhanced protection for sensitive information such as credit card numbers; and notify consumers promptly when their personal data have been stolen.

She said she still believes that Sony took too long to notify its customers about the breach but noted that more work must be done to identify the most appropriate time frame for notifying consumers.

Schaaff cautioned against requiring companies to tell consumers about a data breach before the firms have had a chance to investigate. He said that if a company moves too quickly, it may panic customers unnecessarily, and if it provides too much information, consumers may start to ignore such notices.