In April, we witnessed some of the largest data breaches in U.S. history, one of which reportedly affected more than 100 million consumers. Those breaches occurred as two comprehensive privacy bills- the Commercial Privacy Bill of Rights Act of 2011 and the Consumer Privacy Protection Act of 2011– were introduced in Congress, and they sparked investigations from officials and regulators around the world. This landscape increases the likelihood of action on federal privacy legislation this year, which could change the way that companies collect, use, store, and share personal information online and offline.
Recent breaches illustrate the ways that personal information can be compromised. In April:
- Sony experienced an unauthorized network intrusion that compromised account information for the PlayStation® Network and Qriocity™ service, including names, addresses, email addresses, birth dates, passwords, and logins for more than 70 million consumers;
- One week later, Sony announced that hackers may also have stolen information for approximately 24.6 million Sony Online Entertainment customer accounts, as well as information from a database with 12,700 non-U.S. credit or debit card numbers and 10,700 direct debit records of customers in Europe;
- The email marketing provider Epsilon (whose clients include major supermarket chains, hotel chains, banks, and retail stores) announced that a hacker obtained customer names and email addresses from the company’s system (but not more sensitive information, such as credit card numbers and social security numbers);
- The Texas Comptroller’s office inadvertently disclosed personal information of about 3.5 million residents (including names, addresses, social security numbers, dates of birth, and driver’s license numbers) on a server that was accessible to the public; and
- A New York Yankees employee sent an email to season ticket holders that mistakenly attached a spreadsheet with names, addresses, phone numbers, fax numbers, email addresses, and Yankees account numbers for approximately 20,000 ticket holders.
We are still experiencing the aftermath of the Sony and Epsilon breaches. Just days after Sony reported the breach, the company was named in a class action lawsuit, and Rep. Bobby Rush announced his intent to reintroduce data security legislation. Senator Richard Blumenthal requested an investigation of the Epsilon breach, the House Energy and Commerce Subcommittee on Commerce, Manufacturing and Trade sent letters to both Sony and Epsilon inquiring about the breaches, and the Subcommittee Chair, Rep. Mary Bono Mack, stated that she plans to introduce legislation.
Given the possibility of lawsuits, government action, and not to mention negative publicity following a major data breach, all companies that handle personal information and/or entrust it to other parties should carefully assess their policies, practices, and procedures before an incident occurs and get ready for new laws down the road.