The fallout from the last month’s data breaches of Sony’s PlayStation Network and its Online Entertainment service continued this week. 

  • On Tuesday, Sen. Richard Blumenthal (D-CT) sent a follow-up letter to Sony saying he is “deeply concerned about the egregious inadequacy of Sony’s efforts thus far to notify its customers of these breaches,” and New York Attorney General Eric Schneiderman subpoenaed Sony.  
  • Also, on Tuesday, Sony responded to an inquiry from Rep. Mary Bono Mack (R-CA), chair of the House Subcommittee on Commerce, Trade and Manufacturing, in a letter indicating that it had suffered a “large-scale cyberattack” by “very professional, highly sophisticated”  criminals intent on stealing personal and credit card information. 
  • Rep. Bono Mack held a hearing on data security on Wednesday during which she was critical of the response to date. 
  • On the international front, the EU also reportedly is considering action; Australian Privacy Commissioner Timothy Pilgrim is planning to examine whether Sony’s Australian subsidiary violated the country’s Privacy Act; and a Canadian law firm announced a $1 billion class-action lawsuit against Sony.  

While the Sony breach is notable and has generated considerable attention, its impact on potential federal data security legislation remains to be seen.  Prior large breaches, such as TJX and Hartland Payment Systems, did not create much energy for such legislation, which also was felled by competing jurisdictional interests on the Hill, and data security will have to compete with other proposals on privacy and cybersecurity for congressional attention.  Thus, whether the recent spate of high-profile breaches, such including Sony, Epsilon, and EMC, creates any momentum for federal data security legislation remains very much an open issue.