Data Security Issues Aired In House, Senate

Sony under investigation for data breaches; FTC says geolocation deserves hightened protection

Data security got a lot of face time on Capitol Hill
Wednesday, as two separate hearings focused, and touched on, respectively,
issues from Sony's online data breaches to the location-based data issues
involving Google and Apple.

The Attorney General said that Sony was under active
investigation for data breaches, while the FTC signaled that geolocation
is the kind of sensitive information that deserves heightened government
scrutiny and protection.

The House Energy & Commerce Committee bored down into
the issue with a panel of witnesses that included the Federal Trade Commission's
point person, David Vladeck, director of the Bureau of Consumer Protection.

On the issue of Apple's storing of geolocation
information for up to a year, Vladeck was asked by Rep. Bill Cassidy (R-La.)
whether the agency supported a "thou shalt not" approach of
legislation barring the saving of such data beyond a certain time period, he
said the FTC had not taken a position on that specific issue. But he did say he
supported making the use and storage of that data an automatic trigger for
notification of consumers about what was happening with it.

Apple and Google have both taken heat for their handling
of Geolocation info, Google for what it says was inadvertent collection of
data as part of its online mapping efforts, Apple for storing geolocation
info, unencrypted, for up to a year (it says that was a glitch) and backing up
that info on unsecured computers when iPhones were syncedAtt.

Vladeck pointed out that the FTC in a December report
recommended that geolocation data be considered the kind of personal information
that gets heightened protection. He also said that one of the questions it raised
in its ongoing review of child online protection laws is how to
treat geolocation info.

Cassidy asked what the argument was against limiting the
storage of geolocation information. Vladeck said that there were two
arguments--though he hastened to point out he was not advocating either. One
was that it enhanced the functions and the other was that it allowed them
to perfect the service. "I am rehearsing the arguments you will
hear," said Vladeck.

Justin Brookman, director of the Consumer Privacy Project at
the Center for Democracy and Technology, said he would be concerned by a
"thou shalt not" approach, saying there are reasonable uses for
retaining such data for longer periods of time, including a traffic
program that would remember his routes and give him the best info about them.

He and Vladeck were in agreement that there needed to
be clear consumer information, and not "buried in paragraph 40."

Vladeck said that the industry was not doing enough to
self-regulate in the area of data security, that Congress should pass
comprehensive data security legislation, that federal regs
should supersede state regs if the latter are not as strong, that
states attorneys general should be authorized to enforce federal data security
laws, that the FTC should have stronger rulemaking authority, and that it could
use more resources.

Those to the point answers were courtesy of the now iconic
"answer yes or no, please" line of questions from Rep. John Dingell
(D-Mich.), which all of the panelists honored to a degree unusual in such

Over on the Senate side, Attorney General Jeffrey Holder
said Justice was "actively engaged" in investigating Sony over two
recent data breaches.

Sony two weeks ago revealed that someone had hacked into
its PLaystation online gaming network and accessed millions of records.
Then this week it said that its SOny Online Entertainment gaming net had
been hacked, with millions more possible breaches, according to Ed Markey
(D-Mass.), co-chair of the bipartisan House privacy caucus.

"I am alarmed that twice within one week, sensitive consumer
information, especially that of children, has been exposed by hackers,"
said Markey. "Sony's tagline is ‘make.believe'. It also should be

At the Senate hearing, Holder said Justice and the FBI were
taking those Sony breaches "very seriously," while one legislator
said he was not happy with the way Sony has handled the situation, including
the length of time it took to inform consumers and take corrective action.

The mobile data security issue will be getting more
attention. Senator Al Franken (D-Miss.), chair of a new Judiciary privacy
subcommittee, has scheduled a May 10 hearing on "Protecting Mobile
Privacy: Your Smart Phones, Tablets, Cell Phones and Your Privacy," while
the Senate Commerce Committee also plans to hold a hearing on that issue this