[House Hearing, 112 Congress]
[From the U.S. Government Publishing Office]


 
        SONY AND EPSILON: LESSONS FOR DATA SECURITY LEGISLATION

=======================================================================

                                HEARING

                               BEFORE THE

           SUBCOMMITTEE ON COMMERCE, MANUFACTURING, AND TRADE

                                 OF THE

                    COMMITTEE ON ENERGY AND COMMERCE
                        HOUSE OF REPRESENTATIVES

                      ONE HUNDRED TWELFTH CONGRESS

                             FIRST SESSION

                               __________

                              JUNE 2, 2011

                               __________

                           Serial No. 112-55


      Printed for the use of the Committee on Energy and Commerce

                        energycommerce.house.gov



                  U.S. GOVERNMENT PRINTING OFFICE
71-258                    WASHINGTON : 2012
-----------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Printing Office, 
http://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center, U.S. Government Printing Office. Phone 202ï¿½09512ï¿½091800, or 866ï¿½09512ï¿½091800 (toll-free). E-mail, [email protected].  


                    COMMITTEE ON ENERGY AND COMMERCE

       FRED UPTON, Michigan          HENRY A. WAXMAN, California
              Chairman                 Ranking Member
JOE BARTON, Texas                    JOHN D. DINGELL, Michigan
  Chairman Emeritus                  EDWARD J. MARKEY, Massachusetts
CLIFF STEARNS, Florida               EDOLPHUS TOWNS, New York
ED WHITFIELD, Kentucky               FRANK PALLONE, Jr., New Jersey
JOHN SHIMKUS, Illinois               BOBBY L. RUSH, Illinois
JOSEPH R. PITTS, Pennsylvania        ANNA G. ESHOO, California
MARY BONO MACK, California           ELIOT L. ENGEL, New York
GREG WALDEN, Oregon                  GENE GREEN, Texas
LEE TERRY, Nebraska                  DIANA DeGETTE, Colorado
MIKE ROGERS, Michigan                LOIS CAPPS, California
SUE WILKINS MYRICK, North Carolina   MICHAEL F. DOYLE, Pennsylvania
  Vice Chairman                      JANICE D. SCHAKOWSKY, Illinois
JOHN SULLIVAN, Oklahoma              CHARLES A. GONZALEZ, Texas
TIM MURPHY, Pennsylvania             JAY INSLEE, Washington
MICHAEL C. BURGESS, Texas            TAMMY BALDWIN, Wisconsin
MARSHA BLACKBURN, Tennessee          MIKE ROSS, Arkansas
BRIAN P. BILBRAY, California         ANTHONY D. WEINER, New York
CHARLES F. BASS, New Hampshire       JIM MATHESON, Utah
PHIL GINGREY, Georgia                G.K. BUTTERFIELD, North Carolina
STEVE SCALISE, Louisiana             JOHN BARROW, Georgia
ROBERT E. LATTA, Ohio                DORIS O. MATSUI, California
CATHY McMORRIS RODGERS, Washington   DONNA M. CHRISTENSEN, Virgin 
GREGG HARPER, Mississippi                Islands                        
LEONARD LANCE, New Jersey            
BILL CASSIDY, Louisiana              
BRETT GUTHRIE, Kentucky              
PETE OLSON, Texas                    
DAVID B. McKINLEY, West Virginia     
CORY GARDNER, Colorado               
MIKE POMPEO, Kansas                  
ADAM KINZINGER, Illinois             
H. MORGAN GRIFFITH, Virginia         
                                     

                                  (ii)
           Subcommittee on Commerce, Manufacturing, and Trade

                       MARY BONO MACK, California
                                 Chairman
MARSHA BLACKBURN, Tennessee          G.K. BUTTERFIELD, North Carolina
  Vice Chair                           Ranking Member
CLIFF STEARNS, Florida               CHARLES A. GONZALEZ, Texas
CHARLES F. BASS, New Hampshire       JIM MATHESON, Utah
GREGG HARPER, Mississippi            JOHN D. DINGELL, Michigan
LEONARD LANCE, New Jersey            EDOLPHUS TOWNS, New York
BILL CASSIDY, Louisiana              BOBBY L. RUSH, Illinois
BRETT GUTHRIE, Kentucky              JANICE D. SCHAKOWSKY, Illinois
PETE OLSON, Texas                    MIKE ROSS, Arkansas
DAVE B. McKINLEY, West Virginia      HENRY A. WAXMAN, California, ex 
MIKE POMPEO, Kansas                      officio
ADAM KINZINGER, Illinois
JOE BARTON, Texas
FRED UPTON, Michigan, ex officio

  
                             C O N T E N T S

                              ----------                              
                                                                   Page
Hon. Mary Bono Mack, a Representative in Congress from the State 
  of California, opening statement...............................     1
    Prepared statement...........................................     3
Hon. G.K. Butterfield, a Representative in Congress from the 
  State of North Carolina, opening statement.....................     4
Hon. Marsha Blackburn, a Representative in Congress from the 
  State of Tennessee, opening statement..........................     5
    Prepared statement...........................................     6
Hon. Cliff Stearns, a Representative in Congress from the State 
  of Florida, opening statement..................................     6
Hon. Pete Olson, a Representative in Congress from the State of 
  Texas, opening statement.......................................     7
Hon. Henry A. Waxman, a Representative in Congress from the State 
  of California, prepared statement..............................    53
Hon. Edolphus Towns, a Representative in Congress from the State 
  of New York, opening statement.................................    53

                               Witnesses

Jeanette Fitzgerald, General Counsel, Epsilon Data Management, 
  LLC............................................................     8
    Prepared statement...........................................    10
    Answers to submitted questions...............................    55
Tim Schaaff, President, Sony Network Entertainment International.    17
    Prepared statement...........................................    19
    Answers to submitted questions...............................    58


        SONY AND EPSILON: LESSONS FOR DATA SECURITY LEGISLATION

                              ----------                              


                         THURSDAY, JUNE 2, 2011

                  House of Representatives,
Subcommittee on Commerce, Manufacturing, and Trade,
                          Committee on Energy and Commerce,
                                                    Washington, DC.
    The subcommittee met, pursuant to call, at 12:05 p.m., in 
room 2123 of the Rayburn House Office Building, Hon. Mary Bono 
Mack (chairwoman of the subcommittee) presiding.
    Members present: Representatives Bono Mack, Blackburn, 
Stearns, Harper, Lance, Guthrie, Olson, McKinley, Pompeo, 
Kinzinger, and Butterfield.
    Staff present: Charlotte Baker, Press Secretary; Allison 
Busbee, Legislative Clerk; Paul Cancienne, Policy Coordinator, 
Commerce, Manufacturing and Trade; Brian McCullough, Senior 
Professional Staff Member, Commerce, Manufacturing and Trade; 
Gib Mullan, Chief Counsel, Commerce, Manufacturing and Trade; 
Shannon Weinberg, Counsel, Commerce, Manufacturing and Trade; 
Michelle Ash, Democratic Chief Counsel; Felipe Mendoza, 
Democratic Counsel; and Will Wallace, Democratic Policy 
Analyst.

 OPENING STATEMENT OF HON. MARY BONO MACK, A REPRESENTATIVE IN 
             CONGRESS FROM THE STATE OF CALIFORNIA

    Mrs. Bono Mack. Good afternoon. If the room would please 
come to order. Guests, kindly take your seats. Thank you. So 
good afternoon.
    In today's online world, your name, birth date, and 
mother's maiden name are often used to verify your identity. 
But in the wake of massive data breaches at Sony and Epsilon, 
we are now painfully more aware that this very same information 
can be used just as easily to falsify your identity. The time 
has come for Congress to take action. And the chair now 
recognizes herself for an opening statement.
    With nearly 1.5 billion credit cards now in use in the 
United States and more and more Americans banking and shopping 
online, cyber thieves have a treasure chest of opportunities 
today to get rich quick. Why crack a vault when you can hack a 
network? The Federal Trade Commission estimates that nearly 9 
million Americans fall victim to identity theft every year, 
costing consumers and businesses billions of dollars annually, 
and those numbers are growing steadily and alarmingly.
    In recent years, sophisticated and carefully orchestrated 
cyber attacks designed to obtain personal information about 
consumers, especially when it comes to their credit cards, have 
become one of the fastest-growing criminal enterprises here in 
the U.S., as well as across the world. Just last month, the 
Justice Department shut down a cyber crime ring believed to be 
based in Russia, which was responsible for the online theft of 
up to $100 million.
    The boldness of these attacks and the threat they present 
to unsuspecting Americans was underscored recently by massive 
data breaches at Epsilon and Sony. In some ways, Sony has 
become Ground Zero in the war to protect consumers' online 
information. The initial attacks on Sony's PlayStation network 
and online entertainment services, which put some 100 million 
customer accounts at risk, were quickly followed by still more 
attacks at other Sony divisions and subsidiaries. Since then, 
the company, to its credit, has taken some very aggressive 
steps to prevent future cyber attacks such as installing new 
firewalls, enhancing data protection, and enhancing their 
encryption capabilities, expanding automated software 
monitoring, and hiring a new chief information security 
officer.
    These are all important new safeguards, but with millions 
of American consumers in harm's way, why weren't these safety 
protocols already in place? For me, one of the most troubling 
issues is how long it took Sony to notify consumers and the way 
in which the company did it--by posting an announcement on its 
blog. In effect, Sony put the burden on consumers to search for 
information instead of providing it to them directly. That 
cannot happen again.
    While I remain critical of Sony's initial handling of these 
data breaches, as well as its decision not to testify at our 
last hearing--and that goes for Epsilon as well--it is clear 
that since then, the company has been systematically targeted 
by hackers and cyber thieves who are constantly probing Sony's 
security systems for weaknesses and opportunities to infiltrate 
its networks.
    So today, I am not here to point fingers. Instead, let us 
point the way, a better, smarter way to protect American 
consumers online. As I have said, you shouldn't have to cross 
your fingers and whisper a prayer whenever you type in a credit 
card number on your computer and hit ``Enter.'' E-commerce is a 
vital and growing part of our economy. We should take steps to 
embrace and protect it and that starts with robust cyber 
security.
    As chairman of the subcommittee, I believe the lessons 
learned from the Sony and Epsilon experiences can be 
instructive. How did these breaches occur? What steps are being 
taken to prevent future breaches? What is being done to 
mitigate the effects of these breaches? And what policies 
should be in place to better protect American consumers in the 
future. Most importantly, consumers have a right to know when 
their personal information has been compromised, and companies 
have an overriding responsibility to promptly alert them. These 
recent data breaches only reinforce my long-held belief that 
much more needs to be done to protect sensitive consumer 
information.
    Americans need additional safeguards to prevent identity 
theft, and I will soon introduce legislation designed to 
accomplish this goal. My legislation will be crafted around 3 
guiding principles. First, companies and entities that hold 
personal information must establish and maintain security 
policies to prevent the unauthorized acquisition of that data. 
Second, information considered especially sensitive such as 
credit card numbers should have even more robust security 
safeguards in place. And finally, consumers should be promptly 
informed when their personal information has been jeopardized.
    The time has come for Congress to take decisive action. We 
need a uniformed national standard for data security and data 
breach notification and we need it now. While I remain hopeful 
that law enforcement officials will quickly determine the 
extent of these latest cyber attacks, they serve as a reminder 
that all companies have a responsibility to protect personal 
information and to promptly notify consumers when that 
information has been put at risk. And we have a responsibility 
as lawmakers to make certain that this happens.
    [The prepared statement of Mrs. Bono Mack follows:]

               Prepared Statement of Hon. Mary Bono Mack

    With nearly 1.5 billion credit cards now in use in the 
United States--and more and more Americans banking and shopping 
online--cyber thieves have a treasure chest of opportunities 
today to ``get rich quick.'' Why crack a vault when you can 
hack a network?
    The Federal Trade Commission estimates that nearly nine 
million Americans fall victim to identity theft every year, 
costing consumers and businesses billions of dollars annually--
and those numbers are growing steadily and alarmingly.
    In recent years, sophisticated and carefully orchestrated 
cyber attacks--designed to obtain personal information about 
consumers, especially when it comes to their credit cards--have 
become one of the fastest growing criminal enterprises here in 
the United States and across the world.
    Just last month, the Justice Department shut down a cyber 
crime ring--believed to be based in Russia -which was 
responsible for the online theft of up to $100 million. The 
boldness of these attacks and the threat they present to 
unsuspecting Americans was underscored recently by massive data 
breaches at Epsilon and Sony.
    In some ways, Sony has become ground zero in the war to 
protect consumers' online information. The initial attacks on 
Sony's PlayStation Network and online entertainment services--
which put some 100 million customer accounts at risk--were 
quickly followed by still more attacks at other Sony divisions 
and subsidiaries.
    Since then, the company--to its credit--has taken some very 
aggressive steps to prevent future cyber attacks, such as 
installing new firewalls.enhancing data protection and 
encryption capabilities. expanding automated software 
monitoring.and hiring a new Chief Information Security Officer.
    These are all important new safeguards, but with millions 
of American consumers in harm's way, why weren't these safety 
protocols already in place?
    For me, one of the most troubling issues is how long it 
took Sony to notify consumers.and the way in which the company 
did it--by posting an announcement on its blog. In effect, Sony 
put the burden on consumers to search for information instead 
of providing it to them directly. That cannot happen again.
    While I remain critical of Sony's initial handling of these 
data breaches--as well as its decision not to testify at our 
last hearing.and that goes for Epsilon as well--it's clear that 
since then the company has been systematically targeted by 
hackers and cyber thieves who are constantlyprobing Sony's 
security systems for weaknesses and opportunities to infiltrate 
its networks.
    So today, let's not point fingers. Instead, let's point the 
way--a better, smarter way--to protect American consumers 
online. As I have said, you shouldn't have to cross your 
fingers and whisper a prayer when you type in a credit card 
number on your computer and hit ``enter.'' E-commerce is a 
vital and growing part of our economy. We should take steps to 
embrace and protect it--and that starts with robust cyber 
security.
    As Chairman of this Subcommittee, I believe the lessons 
learned from the Sony and Epsilon experiences can be 
instructive. How did these breaches occur? What steps are being 
taken to prevent future breaches? What's being done to mitigate 
the effects of these breaches? And what policies should be in 
place to better protect American consumers in the future?
    Most importantly, consumers have a right to know when their 
personal information has been compromised, and companies have 
an overriding responsibility to promptly alert them.
    These recent data breaches only reinforce my long-held 
belief that much more needs to be done to protect sensitive 
consumer information. Americans need additional safeguards to 
prevent identity theft, and I will soon introduce legislation 
designed to accomplish this goal. My legislation will be 
crafted around three guiding principles:
    First, companies and entities that hold personal 
information must establish and maintain security policies to 
prevent the unauthorized acquisition of that data;
    Second, information considered especially sensitive, such 
as credit card numbers, should have even more robust security 
safeguards;
    And finally, consumers should be promptly informed when 
their personal information has been jeopardized.
    The time has come for Congress to take decisive action. We 
need a uniform national standard for data security and data 
breach notification, and we need it now.
    While I remain hopeful that law enforcement officials will 
quickly determine the extent of these latest cyber attacks, 
they serves as a reminder that all companies have a 
responsibility to protect personal information and to promptly 
notify consumers when that information has been put at risk. 
And we have a responsibility, as lawmakers, to make certain 
this happens.

    Mrs. Bono Mack. And now I would like to recognize the vice 
chairman of the--oh, I am sorry--the ranking member Mr. 
Butterfield for his 5-minute opening statement.

OPENING STATEMENT OF HON. G.K. BUTTERFIELD, A REPRESENTATIVE IN 
           CONGRESS FROM THE STATE OF NORTH CAROLINA

    Mr. Butterfield. Let me thank you, Chairman Bono Mack, for 
your indulgence. I have been in my office with 28 constituents, 
one of whom was a World War II veteran and several Vietnam 
veterans and they wanted to take pictures and you know that 
drill. And so I had to accommodate them as best I could. But we 
are here and thank you very much for convening this hearing 
today. And I certainly thank the two witnesses for your 
presence.
    Madam Chairman, thank you for holding this hearing on data 
security and the recent breaches that we have seen at Sony and 
Epsilon. Last month, well over 100 million consumer records 
have been compromised as a result of those breaches, including 
full names, email and mailing addresses, the passwords, and 
maybe even credit card numbers. Those two major breaches 
illustrate that no company is safe from attack and that we must 
always operate at a heightened level of security and vigilance. 
No company wants its data compromised, and Sony and Epsilon are 
certainly no exception.
    Sony was victim to hackers who stole nearly 100 million 
consumer records, and it took engineers several days to realize 
that there was an intrusion. During that time, hackers had full 
access to Sony's servers. The breach that occurred at Epsilon 
was very large and involved the names and email addresses of 
about 50 of Epsilon's clients with conservative estimates of 60 
million records stolen. Luckily, no critically sensitive 
information was stolen, but it easily could have.
    It is important that businesses do all they can do to 
protect consumers from having their information fall into the 
wrong hands. For many Americans, shopping, paying bills, and 
refilling prescriptions and communicating with friends and 
family and even playing games are all done online. As people 
share more and more information online, the potential for 
personally identifiable information to be compromised increases 
exponentially. Names, physical addresses, dates of birth, 
Social Security numbers, and credit card numbers are just a few 
of the types of information that hackers are able to access and 
exploit.
    While 46 States have laws requiring consumer notification 
when a breach occurs, there is currently no federal standard to 
address this. Moreover, there is no federal law requiring 
companies that hold PII to have reasonable safeguards in place 
to protect this information. Without a federal standard, I am 
concerned that American consumers remain largely exposed 
online. And during the 109th Congress and subsequent 
Congresses, members of this committee worked in a bipartisan 
fashion to develop the Data, Accountability, and Trust Act to 
address the issue of data security.
    The DATA bill of the 111th Congress by my friend and former 
chairman of the subcommittee Mr. Rush from Illinois would have 
required entities holding data containing personal information 
to adopt reasonable and appropriate security measures to 
safeguard it and, in the event of a breach, to notify affected 
individuals. The DATA bill passed the House and the 111th 
Congress but our friends in the Senate did not act. The DATA 
bill is a good foundation to improve the security of e-
commerce, something that is good for consumers and good for 
business. It would give American consumers more peace of mind 
about online transactions and make them more likely to continue 
and expand their use of online services.
    And so, Madam Chairman, we have learned a lot from the 
breaches at Sony and Epsilon and I expect to learn more today 
from our two witnesses. I want you to know that I stand ready 
to work with you and our colleagues to pass a strong bipartisan 
data security bill like the DATA bill that we saw in the last 
session. I thank today's witnesses for their testimony and look 
forward to each of you. Thank you very much. I yield back.
    Mrs. Bono Mack. I thank the gentleman. Chairman Upton 
yielded his 5 minutes for an opening statement to me in 
accordance with committee rules. And as his designee, I now 
recognize Mrs. Blackburn for 2 minutes.

OPENING STATEMENT OF HON. MARSHA BLACKBURN, A REPRESENTATIVE IN 
              CONGRESS FROM THE STATE OF TENNESSEE

    Mrs. Blackburn. Thank you, Madam Chairman. I will submit my 
full statement.
    A couple of comments. I think that the Sony and the Epsilon 
breaches raise a lot of questions with our constituents. What 
they are asking us is, number one, how do you minimize identity 
theft? Number two, they want proper notifications from the 
venders that they are doing business with. And number three, 
they want to see better coordination with law enforcement. They 
feel as if this is missing. And I know that as we address this, 
what we are going to have to look at is better government 
coordination, incentives for industry cooperation in this 
issue, stricter penalty deterrents against hackers, and a 
flexible framework for risk assessment and breach alerts.
    As we do this, I hope that we will continue to look at the 
threat of digital protection of intellectual property. The two 
are interrelated and they both deserve attention. And I have to 
tell you, with the new music cloud services from Apple, Google, 
and Amazon, my concern is there that we hold everybody 
accountable and secure the integrity of that system.
    I do want to highlight that on the issue of the illegal 
downloads and file sharing, my home State of Tennessee has just 
passed and signed into law a bill that puts in place penalties 
for this. They have made this a crime in our State, and I am 
glad they did it because losing content to the rogue Web sites 
not only becomes an issue for the entertainment industry, but 
it exposes consumers to viruses, dangerous products, and 
increases the likelihood of data theft.
    So I thank you all for being here and I yield back my time.
    [The prepared statement of Mrs. Blackburn follows:]

              Prepared Statement of Hon. Marsha Blackburn

    I thank the Chair for holding this hearing on securing our 
online data and privacy.
    This is a timely subject of importance not only for our 
economy, but also for our virtual and physical safety.
    Last year Tennessee ranked 18th for fraud, and 19th for 
identity theft complaints nationwide. But the disturbing 
proliferation of data theft knows no boundaries in the virtual 
marketplace. And the Epsilon and the two Sony breaches raise 
the stakes of our policy response.
    Just this week, after problems with the Android app for 
Skype were apparently fixed, consumers reported receiving robo-
calls soliciting their credit card information.
    Representatives from the industry have an obligation to 
explain to the American people exactly how our data is being 
hijacked, and what exactly they plan to do about it.
    In examining the lifecycle of these data breaches, an 
obvious and disturbing pattern can been seen in lagging 
consumer notifications. It's a trend I fear perpetuates 
industry's ``culture of damage control''--a business strategy 
that accelerates identity theft and virtual phishing schemes.
    We need a framework that gives consumers at least a 
fighting chance to protect the ``Virtual You''--one's online 
identity--not just the false sense of security they have been 
fed.
    I look forward to the witnesses' testimony, and to an open 
discussion about how we can secure our data and privacy in the 
virtual realm. I yield my time.

    Mrs. Bono Mack. I thank the gentlelady. And the chair 
recognizes Mr. Stearns for 2 minutes.

 OPENING STATEMENT OF HON. CLIFF STEARNS, A REPRESENTATIVE IN 
               CONGRESS FROM THE STATE OF FLORIDA

    Mr. Stearns. Thank you, Madam Chair.
    I think it is mentioned by the chairwoman, the FTC recently 
reported 9 million Americans have fallen victim to identity 
theft. And I think it is sort of puzzling, a corporation as 
strong and comprehensive as Sony, they would, you would think, 
have the ability to certify that their data is secure. As 
recently mentioned, over 45 States have adopted a data breach 
notification requirement, but, of course, there is no law on a 
federal basis. So it is good that you folks are here so we can 
ask you some questions about, you know, perhaps if you know who 
the people were, what was the requirements that you set up in a 
corporation as extensive as Sony, and do you think there is a 
criminal case here that should be prosecuted? So there are lots 
of questions so I appreciate your coming here.
    As many of you know, I had a bill when I was chairman of 
the subcommittee that we got out of the House. Unfortunately, 
it did not get through the Senate. And I have introduced it 
with Mr. Matheson again, which simply required the Federal 
Trade Commission to develop these regulations requiring persons 
that own or possess electronic data to establish necessary 
security policies and procedures, as well as notification 
mechanism.
    So both of our witnesses today certainly have within their 
power to provide the software, the data security provisions 
that are necessary. I think it must be puzzling to them as well 
as to us why this happened to them considering how 
sophisticated both of them are. I have had the opportunity to 
talk to them in my office, so it is very appreciative that you 
took the time to come here and talk to us and we look forward 
to your testimony. Thank you.
    Mrs. Bono Mack. I thank the gentleman. And the chair 
recognizes Mr. Olson for 1 minute.

   OPENING STATEMENT OF HON. PETE OLSON, A REPRESENTATIVE IN 
                CONGRESS FROM THE STATE OF TEXAS

    Mr. Olson. I thank the chairwoman for her leadership in 
calling this timely hearing.
    As we all learned this morning, overseas hackers from China 
hacked into Google email accounts. Like Sony, Epsilon, and now 
Google, my home State of Texas has experienced a massive data 
breach in April of this year when almost 3.5 million Texans had 
their personal information, their names, mailing addresses, and 
Social Security numbers compromised from the office of the 
Texas Comptroller of Public Accounts, and it was posted to a 
public server.
    There is a clear need for government, businesses, and 
citizens to work together to protect citizens' personal 
information. I look forward to working with the chairwoman on 
comprehensive data security legislation.
    I thank the witnesses for coming. I yield back the balance 
of my time.
    Mrs. Bono Mack. I thank the gentleman and turn our 
attention to the panel. We have a single panel of very 
distinguished witnesses joining us today. Welcome. Each of you 
have a prepared statement that will be placed into the record, 
but if you could summarize your statements in your remarks, we 
would appreciate it.
    On our panel, we have Jeanette Fitzgerald, General Counsel 
for Epsilon Data Management, LLC. Also testifying is Tim 
Schaaff, President, Sony Network Entertainment International. 
Good afternoon, and thank you both very much for coming. You 
will each be recognized, as I said, for 5 minutes. To help you 
keep track of time, there is a clever little device in front of 
you: red, yellow, green. And when the light turns yellow, 
please summarize as you would a traffic light.
    So Ms. Fitzgerald, you are recognized for 5 minutes. And 
please remember the microphone and pull it close to your mouth 
if you would.

  STATEMENTS OF JEANETTE FITZGERALD, GENERAL COUNSEL, EPSILON 
DATA MANAGEMENT, LLC; AND TIM SCHAAFF, PRESIDENT, SONY NETWORK 
                  ENTERTAINMENT INTERNATIONAL

                STATEMENT OF JEANETTE FITZGERALD

    Ms. Fitzgerald. Ranking Member Butterfield, and 
distinguished members of----
    Mrs. Bono Mack. Sorry. Excuse me. Would you pull the 
microphone up?
    Ms. Fitzgerald. Closer? Better?
    Mrs. Bono Mack. Thank you.
    Ms. Fitzgerald. Good morning. Chairman Bono Mack, Ranking 
Member Butterfield, and distinguished members of the 
subcommittee, my name is Jeanette Fitzgerald, and I am the 
general counsel for Epsilon Data Management. Thank you for 
inviting me to present Epsilon's testimony on data security. I 
hope that I can provide information today in going forward that 
will act as a helpful resource as you consider data security 
legislation that is in the best interest of both consumers and 
business. My full written testimony has been submitted for the 
record. I will summarize it here and hope to leave you with 
three main points.
    First, who is Epsilon and how do we provide important data 
management services for our clients? Second, how the attack of 
March 30 occurred and what we are doing to apprehend the 
perpetrators and improve our own data security. And finally, 
why we think national data breach notification legislation is 
important.
    Epsilon is the leading provider of permission-based email 
marketing services. Our clients, some of the world's largest 
and best-known consumer and financial services brands count on 
us to send their email messages to their customers, the 
individual consumer. And as we all know, major brands use email 
messages to provide consumers with timely information about new 
products and sales and events, among other things. Epsilon 
ensures that these email messages comply with applicable legal 
requirements, including CAN-SPAM Act.
    To earn and keep our clients' trust, Epsilon became the 
first in the industry in 2006 to certify that its information 
security program complied with the standards issued by the 
International Association of Standardization, known as ISO. 
ISO, a highly regarded organization, is recognized by over 160 
countries around the world, including the United States, as 
identifying best practices for information security management. 
The standards are demanding, requiring over a year to earn 
initial certification. We are proud that Epsilon leads the 
industry and that we have achieved yearly recertification, 
which requires proof that the company is improving its security 
program each year.
    Notwithstanding our internal security procedures and our 
compliance with these rigorous data security standards, as you 
know, Epsilon was the victim of a criminal hacking incident at 
the end of March. Since our information security program was 
designed to identify and respond to attacks and threats, we 
were quickly able to detect the unauthorized download activity, 
which triggered Epsilon's security incident response program.
    Our investigation, both internal and with an independent 
third party, is coordinated closely with the Secret Service and 
is still ongoing. But we can say that the initial investigation 
confirms that only email addresses and, in some cases, first 
and last names were affected by this attack. Again, only email 
addresses and, in some cases, first and last names were 
affected. The details of what happened after the attack are in 
my written statement that has been submitted for the record. We 
are greatly troubled that this criminal incident has called 
into question our commitment to data security. But I want to 
leave you with four main points about what happened and how 
Epsilon responded.
    First, our internal response to the criminal attack was 
immediate. We isolated computers and changed employee access 
rights. Second, our forensics investigation began within hours. 
We also reached out to law enforcement just as quickly. Third, 
notification to our clients also occurred on the same day, and 
we released a public statement and posted additional public 
information on our Web site shortly thereafter. And finally, 
now and going forward, we reiterate our commitment to working 
with the Secret Service, apprehending the hackers, and 
improving our own security.
    Companies like Epsilon are on the frontlines in the fight 
against data theft. We also believe Congress has an important 
role to play in protecting consumers. To that end, Epsilon 
fully supports legislation that would create a uniform standard 
for data breach notification. The current patchwork of over 45 
individual State breach notification laws is confusing. A 
uniform national law, on the other hand, would provide 
predictability and equitable protection for consumers, 
regardless of their State of residence.
    Chairman Bono Mack, Ranking Member Butterfield, and members 
of the subcommittee, we look forward to working with you as the 
legislative process moves forward. I sincerely hope that the 
information I am able to provide at this hearing is helpful to 
the subcommittee as it considers this critical issue. Thank 
you.
    [The prepared statement of Ms. Fitzgerald follows:]

    [GRAPHIC] [TIFF OMITTED] T1258.001
    
    [GRAPHIC] [TIFF OMITTED] T1258.002
    
    [GRAPHIC] [TIFF OMITTED] T1258.003
    
    [GRAPHIC] [TIFF OMITTED] T1258.004
    
    [GRAPHIC] [TIFF OMITTED] T1258.005
    
    [GRAPHIC] [TIFF OMITTED] T1258.006
    
    [GRAPHIC] [TIFF OMITTED] T1258.007
    
    Mrs. Bono Mack. Thank you, Ms. Fitzgerald. And Mr. Schaaff, 
you are recognized for 5 minutes.

                    STATEMENT OF TIM SCHAAFF

    Mr. Schaaff. Thank you. Chairman Bono Mack, Ranking Member 
Butterfield, and other distinguished members of the 
subcommittee, thank you for providing Sony with this 
opportunity to testify on cyber crime and data security.
    My name is Tim Schaaff and I am president of Sony Network 
Entertainment International, a subsidiary of Sony Corporation 
based in California, where we employ approximately 700 people 
in five offices around the State. I am chiefly responsible for 
the business and technical aspects of Sony's PlayStation 
Network and Curiosity, an online service that allows consumers 
to access movies, television shows, music and video games. Sony 
Network Entertainment, Sony Online Entertainment--another 
subsidiary of Sony's--and millions of our customers were 
recently the victims of an increasingly common digital age 
crime--a cyber attack. Indeed, we have been reminded in recent 
days of the fact that no one is immune from the threat of cyber 
attack. Businesses, government entities, public institutions, 
and individuals can all become victims.
    The attack on us, we believe, is unprecedented in its size 
and scope. Initially anonymous, the underground group 
associated with last year's WikiLeaks-related cyber attacks 
openly called for and carried out massive denial-of-service 
attacks against numerous Sony internet sites in retaliation for 
Sony bringing action in Federal Court to protect its 
intellectual property. During or shortly after those attacks, 
one or more highly skilled hackers infiltrated the servers of 
the PlayStation Network and Sony Online Entertainment.
    Sony Network Entertainment and Sony Online Entertainment 
have always made a concerted and substantial effort to maintain 
and improve their data security systems. We hired a well 
respected and experienced cyber security firm to enhance our 
defenses against the denial-of-service attacks threatened by 
anonymous, but unfortunately, no entity can foresee every 
potential cyber security threat.
    We have detailed for the subcommittee in our written 
testimony the timeline from when we first discovered the 
breach. But to briefly summarize, the first indication of a 
breach occurred on Tuesday, April 19 of this year. On 
Wednesday, April 20, we mobilized an investigation and 
immediately shut down all of the PlayStation Network services 
in order to prevent additional unauthorized activity. After two 
highly respected technical forensic firms were retained to 
assist in a time-consuming and complicated investigation, on 
Friday, April 22, we notified PlayStation Network customers via 
post on the PlayStation blog that an intrusion had occurred. 
After a third forensic firm was retained, on Monday, April 25, 
we were able to confirm the scope of the personal data that we 
believed had been accessed. And although there was no evidence 
credit card information had been accessed, we could not rule 
out the possibility.
    Therefore, the very next day, Tuesday, April 26, we issued 
a public notice that we believed the personal information of 
our customers had been taken. And that while there was no 
evidence that credit card data was taken, since we could not 
rule out the possibility, we had to acknowledge that it was 
possible. We also posted this on our blog and began to email 
each of our accountholders directly. We did not merely make 
statements on our blog.
    On Sunday, May 1, Sony Online Entertainment, a multi-player 
online videogame network, also discovered that data may have 
been taken. On Monday, May 2, just one day later, Sony Online 
Entertainment shut down this service and notified customers 
directly that their personal information may have also been 
compromised. Throughout this time, we felt a keen sense of 
responsibility to our customers. We shut down the networks to 
protect against further unauthorized activity. We notified our 
customers promptly when we had specific, accurate, and useful 
information. We thanked our customers for their patience and 
loyalty and addressed their concerns arising from this breach 
with identify theft protection programs for the U.S. and other 
customers around the world where available, as well as a 
welcome-back package of extended and free subscriptions, games, 
and other services. And we worked to restore our networks to 
stronger security to protect our customer's interests.
    Let me address the specific issues you are considering 
today: notification of consumers when data breaches occur. Laws 
and common sense provide for companies to investigate breaches, 
gather the facts, and then report data losses publicly. If you 
reverse that order issuing vague or speculative statements 
before you have specific and reliable information, you either 
send false alarms or so many alarms that these warnings may be 
ignored. We therefore support federal data breach legislation 
and look forward to working with the subcommittee on the 
particulars of the bill.
    One final point--as frustrating as the loss of networks for 
playing games was for our customers, the consequences of cyber 
attacks against financial or defense institutions can be 
devastating for our economy and security. Consider the fact 
that defense contractor Lockheed Martin and the Oakridge 
National Laboratory, which helps the Department of Energy 
secure the Nation's electric grid, were also cyber attacked 
within the past 2 months.
    By working together to enact meaningful cyber security 
legislation, we can limit the threat posed to us all. We look 
forward to this initiative to make sure that consumers are 
empowered with the information and tools they need to protect 
themselves from cyber criminals. Thank you very much.
    [The prepared statement of Mr. Schaaff follows:]

    [GRAPHIC] [TIFF OMITTED] T1258.008
    
    [GRAPHIC] [TIFF OMITTED] T1258.009
    
    [GRAPHIC] [TIFF OMITTED] T1258.010
    
    [GRAPHIC] [TIFF OMITTED] T1258.011
    
    [GRAPHIC] [TIFF OMITTED] T1258.012
    
    [GRAPHIC] [TIFF OMITTED] T1258.013
    
    [GRAPHIC] [TIFF OMITTED] T1258.014
    
    [GRAPHIC] [TIFF OMITTED] T1258.015
    
    [GRAPHIC] [TIFF OMITTED] T1258.016
    
    [GRAPHIC] [TIFF OMITTED] T1258.017
    
    [GRAPHIC] [TIFF OMITTED] T1258.018
    
    [GRAPHIC] [TIFF OMITTED] T1258.019
    
    [GRAPHIC] [TIFF OMITTED] T1258.020
    
    [GRAPHIC] [TIFF OMITTED] T1258.021
    
    [GRAPHIC] [TIFF OMITTED] T1258.022
    
    [GRAPHIC] [TIFF OMITTED] T1258.023
    
    [GRAPHIC] [TIFF OMITTED] T1258.024
    
    [GRAPHIC] [TIFF OMITTED] T1258.025
    
    [GRAPHIC] [TIFF OMITTED] T1258.026
    
    [GRAPHIC] [TIFF OMITTED] T1258.027
    
    [GRAPHIC] [TIFF OMITTED] T1258.028
    
    Mrs. Bono Mack. Thank you, Mr. Schaaff. And I would like to 
thank both of you for your opening statements, as well as for 
your unique insight into these disturbing data breaches. I am 
confident that the lessons learned with assist us in our 
efforts to develop new online safeguards for American 
consumers.
    And I am going to recognize myself for the first 5 minutes 
of questioning.
    And, Mr. Schaaff, given the extreme makeover of Sony's 
online security protocols, it does beg the question why weren't 
many of these safeguards, such as having a chief security 
information officer in place before the April data breaches?
    Mr. Schaaff. We believe that the security that we had in 
place was very, very strong and we felt that we were in good 
shape. However, as the attacks indicated, the intensity and 
sophistication of the hack was such that even despite those 
best measures that we had taken, it was not sufficient. And as 
we recognize moving forward that the scrutiny that we are 
likely to be under from the hackers will continue, we have made 
additional commitments to enhance the security of our networks.
    In addition, we had been working for some months now, more 
than 18 months to expand both the capacity and security of our 
network. We are a new business but we are a very fast-growing 
business.
    Mrs. Bono Mack. All right. Let me jump ahead.
    Mr. Schaaff. Sure.
    Mrs. Bono Mack. You indicated with Sony in the May 3 letter 
that you contacted the FBI on April 22, which was 2 days after 
it determined the breach had in fact occurred. Why did Sony 
wait 2 days to notify law enforcement?
    Mr. Schaaff. My understanding is that we notified them as 
soon as we had something clear that we could report that 
indicated some sign of external intrusion that would be 
unauthorized or illegal.
    Mrs. Bono Mack. Your testimony indicates four servers were 
taken offline on April 19 before you pulled the plug on all 130 
servers. Can you tell us what information was different that 
was stored on those initial four servers?
    Mr. Schaaff. Well, these were part of a larger network of 
machines and we believed this was just the first entry point 
that the hacker may have used to get into the network, and upon 
discovering them, we immediately shut them down. But there were 
other servers that were also attacked by the hackers as well.
    Mrs. Bono Mack. Some media reports indicate Sony's servers 
may not have had up-to-date patches or firewalls prior to the 
attack. Is that true?
    Mr. Schaaff. That is actually patently false. The Apache 
servers were fully up to date, fully patched. And in fact, we 
had had several layers of firewalls in place, also contrary to 
so many of the things you may have read on the internet. As you 
know, the internet is not always a reliable source of factual 
information.
    Mrs. Bono Mack. And you state that you believe the cyber 
attack on Sony was unprecedented in both size and scope. Can 
you explain why you believe it is unprecedented?
    Mr. Schaaff. Well, we believe that the sophistication of 
the attack, the collection of activities that were undertaken, 
the period of time in which the hackers were carefully 
exploring the network, and then ultimately the scope of the 
service that was breached makes it quite a remarkable attack. 
And despite the deep security measures that we had taken, it 
was nevertheless insufficient to guard against these attacks.
    Mrs. Bono Mack. Was the consumer data you held encrypted? 
And why or why not?
    Mr. Schaaff. So, of course, the credit card information 
that was held was encrypted. Password login data was protected 
using cryptographic hash functions. And these practices are in 
line with industry practice.
    Mrs. Bono Mack. Thank you. Ms. Fitzgerald, would greater 
security requirements have prevented your breach? And if not, 
what added protection are your new security measures providing?
    Ms. Fitzgerald. At the time, we had very extensive security 
as I noted in my opening statement and the written statement I 
provided. We have continued through the investigation to 
evaluate additional things that may be done to strengthen both 
our networks and any of the access points. We have also decided 
to hire some outside experts to even evaluate the network 
further and see if there is anything else in different parts of 
our network that need to be adjusted.
    Mrs. Bono Mack. Coming as a consumer who received multiple 
notices about your breach, there are also indications that 
consumers received notice of the breach from your business 
customers for which, in some cases, they hadn't had a purchase 
or customer relationship for 4 or 5 years. Do you ever purge 
your data and why do you hold onto information for as long as 
you do?
    Ms. Fitzgerald. So let me step back a second to remind 
everyone how Epsilon plays in this. Epsilon is a service 
provider to the well-known names that you may have received 
notifications from, and they have the relationship with the 
consumer. What data we hold is determined by the client, and 
the client then tells us what to hold and what we then do with 
it in terms of sending out notices or any sort of marketing 
messages is entirely up to the client. It is not----
    Mrs. Bono Mack. Do you advise them on when it might be a 
good time to purge data?
    Ms. Fitzgerald. It depends on what they want to do with the 
data. And there is also opt-out data that would have been held 
because in order to comply with CAN-SPAM, you have to maintain 
records of who has opted out. So if, 2 years ago, you opted out 
and you haven't had any activity, that list would still be 
there because you have to comply with CAN-SPAM. So we have to 
be able to duplicate or de-duplicate and take those names out 
any time that we do a mailing.
    Mrs. Bono Mack. OK. Thank you. My time has expired. I will 
recognize the ranking member, Mr. Butterfield, for his 5 
minutes.
    Mr. Butterfield. Thank you, Madam Chairman.
    Mr. Schaaff, let me start with you and if I have any time 
remaining, I will go over to Ms. Fitzgerald.
    Mr. Schaaff, I understand that your internal investigation 
has not turned up any evidence suggesting that credit card data 
was taken from the network, but to me, that doesn't necessarily 
mean that the data was not taken, just that you haven't turned 
up any digital fingerprints that would allow you to know with 
certainty that it was taken. And I think you see what I am 
saying there. Help me with that. How certain are you that the 
data was not taken in the attack?
    Mr. Schaaff. Well, as you know, we have been engulfed in an 
intensive investigation over the past 6 weeks since the breach 
occurred, and we have looked deeply at the logs related to the 
databases. And in those logs we have found no clear evidence 
that there was any access made to the credit card information, 
and we found plenty of evidence that suggests that that data 
was not accessed. That is the basis for today's statements that 
we do not believe the credit card information was compromised.
    Mr. Butterfield. Now, in your testimony, you mentioned that 
the attack took place on April 19, that the PlayStations were 
shut down on April 20, and that you did something on April 22. 
Help me with that if you could shed some light on what you did 
on April 22.
    Mr. Schaaff. On April 22, this was the point at which we 
first notified consumers that there had been an intrusion. We 
were trying to understand what had happened to the network, and 
we were actively beginning the investigation of that breach. 
And at the point that we were able to determine that there had 
been an intrusion, we immediately notified consumers so that 
they would be aware of what had occurred, even though at that 
time we were not yet able to confirm precisely which data may 
have been compromised.
    Mr. Butterfield. So is it your testimony that on April 22, 
you began the process of notifying the consumers?
    Mr. Schaaff. Well, we notified them on the PlayStation blog 
of the intrusion, but then on April 26, we followed that up 
with an additional notification regarding more specifics 
related to the actual data that may have been breached and we 
began immediately notifying consumers starting from that date 
via email of the breach as well.
    Mr. Butterfield. But the April 22 announcement was simply 
on the internet? It was on the blog?
    Mr. Schaaff. That was posted on the PlayStation blog. The 
PlayStation blog is one of the most active and popular blogs on 
the web. It is currently ranked about number 20, just behind 
the White House blog. So it is a very, very expected place for 
our consumers to look for information.
    Mr. Butterfield. Do you have any way of knowing how many 
consumers actually read the statement?
    Mr. Schaaff. I don't know the answer to that off the top of 
my head. We can investigate and----
    Mr. Butterfield. But 7 days after the breach was when 
official notification was issued?
    Mr. Schaaff. We were not able to determine until the day 
that we had notified consumers. We were searching for evidence 
that would allow us to confirm the status of the credit card 
information and not being able----
    Mr. Butterfield. Do you think 7 days was a reasonable time?
    Mr. Schaaff. Actually, what has been interesting from my 
perspective is that we have continued this investigation in the 
successive weeks, and as you hear me speaking today, some of 
our conclusions with respect to credit card information have 
changed somewhat from our original statements. And that change 
has occurred because of the continuing investigation. In the 
abundance of caution, we acknowledge the possibility that 
credit cards would have been taken in our announcements on the 
26th. But as you can see, the situation changes as the 
investigation proceeds, and we felt it would have been 
irresponsible if we had notified consumers earlier with partial 
or incomplete information.
    Mr. Butterfield. But you have, based on your experience 
here, made some corrections and some adjustments in the credit 
card data that you collect?
    Mr. Schaaff. We have been working to increase the security 
of the entire network and additional controls related to credit 
card data have also been put in place, yes.
    Mr. Butterfield. And how do these measures compare to those 
for the other types of personal information that you have, the 
credit card data versus the other information?
    Mr. Schaaff. Yes, excuse me. The credit card information is 
the most highly protected and guarded information. It is all 
encrypted and so even if it is taken, it is not likely to be 
useful to the hacker.
    Mr. Butterfield. Is it true that user passwords were hashed 
and not encrypted? Is that true?
    Mr. Schaaff. That is true. It is true that they were hashed 
using cryptographic hash functions. That is an industry 
practice which is very standard. It is not an unusual practice 
at all.
    Mr. Butterfield. Industry standard. Well, why don't you use 
any type of encryption in your procedures?
    Mr. Schaaff. It is a form of protection that is very, very 
closely related to encryption, and I am not an expert in 
cryptography so I am not sure that I could answer the question 
in a more detailed way.
    Mr. Butterfield. What is irreversible encryption?
    Mr. Schaaff. Irreversible encryption is my understanding of 
the definition of a cryptographic hash. I am sorry. This is--
wait. OK.
    Mr. Butterfield. Ms. Fitzgerald, your testimony states that 
Epsilon's internal investigation revealed that the login 
credentials of the employee who reported unusual and suspicious 
download activity had been compromised. And in layman's terms, 
I suppose, I assume this means that the employees credentials 
had been hijacked and been used by a hacker to carry out the 
intrusion into your network and to steal consumers' email 
addresses. Can you please tell me a little bit more about what 
that means, that the employee's login credentials were 
compromised?
    Ms. Fitzgerald. Well, what we had understood during the 
investigation is that the credentials were somehow used based 
on the logs, though not necessarily by that person, to actually 
download that information. That is why we then immediately--our 
system kicked into place and immediately we saw that there was 
improper downloads and so our security system kicked in and 
then we knew that there was a problem and we shut their access 
down and anybody else who had credentials at that level and 
took that computer off the system.
    Mr. Butterfield. Thank you. My time has expired.
    Mrs. Bono Mack. I thank the gentleman and recognize the 
gentleman from Florida, Mr. Stearns, for 5 minutes.
    Mr. Stearns. Thank you, Madam Chair. Let me be sure I 
understand, Ms. Fitzgerald, exactly what was taken. It is our 
understanding emails were taken and the name of the people 
whose email was taken. Is that correct?
    Ms. Fitzgerald. I am sorry. Was that to me?
    Mr. Stearns. Yes.
    Ms. Fitzgerald. I am sorry.
    Mr. Stearns. What was actually taken, as I understand it, 
is emails----
    Ms. Fitzgerald. It was email addresses, and in some cases, 
first and last names.
    Mr. Stearns. First and last names. OK. And that was all?
    Ms. Fitzgerald. Yes.
    Mr. Stearns. And you said that you notified all 50 to 75 
customers. Is that correct?
    Ms. Fitzgerald. There were about 50 customers of our 
clients, that were affected.
    Mr. Stearns. OK.
    Ms. Fitzgerald. And we notified them.
    Mr. Stearns. Would you provide the committee the complete 
list of those?
    Ms. Fitzgerald. The names of those clients are subject to 
agreements that we have with them, and we are supposed to keep 
those confidential.
    Mr. Stearns. So you cannot provide us----
    Ms. Fitzgerald. So we notified them promptly so they 
could----
    Mr. Stearns. No, I know you notified them, but you cannot 
provide the committee with these names? Is that what you are 
saying today?
    Ms. Fitzgerald. Not at this point, no.
    Mr. Stearns. Now, I have in our material that some of these 
people are J.P. Morgan Chase, Capital One, Citibank, Best Buy, 
Verizon, Target, Home Shopping Network, and Verizon. Is that 
part of the 50 to 75?
    Ms. Fitzgerald. I recognize most of those names as being 
ones that sent us notification----
    Mr. Stearns. They are people that have huge number of 
people, so the impact of this 50 to 75, we cannot even 
comprehend how many Verizon has. So can you extrapolate, not 
telling us in detail, but if Verizon is one of your customers 
and you had a breach with the emails and names, does that mean 
that perhaps millions of names from Verizon had been breached?
    Ms. Fitzgerald. There could be many.
    Mr. Stearns. Just yes or no.
    Ms. Fitzgerald. Yes.
    Mr. Stearns. Yes, oK. Now, with Sony, the question is, as I 
understand it, the password for the Sony PlayStation was 
breached. Is that correct?
    Mr. Schaaff. Well, we believe that there were a number of 
different types of information accessed, including first name 
and last name, address, date of birth, login, password, login 
address----
    Mr. Stearns. For the Sony PlayStation?
    Mr. Schaaff. For the Sony PlayStation Network, yes.
    Mr. Stearns. OK. And what about their credit cards?
    Mr. Schaaff. As I said, we had originally stated that there 
was a possibility. We could not rule out the possibility that 
the credit card information had been accessed. At this point in 
time, we do not see any evidence that it has been.
    Mr. Stearns. OK. When you look at the person's credit card 
together with personal information, his password for Sony 
PlayStation, would one person have all of that breached for 
that one person or is it segmented so somebody got their 
password, somebody got their credit card, somebody got their 
person or is all this information together when it was 
breached?
    Mr. Schaaff. It is difficult for us to know exactly which 
data was taken, but it is likely that they would have been 
taken together, but we don't know for which accounts that would 
have been.
    Mr. Stearns. And what is a conservative estimate the number 
of people were affected by this breach?
    Mr. Schaaff. Well, so we have announced that there were 
approximately 77 million accounts that could have been 
accessed. When we took the network offline, obviously all of 
our customers were affected for the period of time that the 
network has been down, but that is part of the reason why we 
have provided the identity theft insurance, identity theft 
protection program, and these welcome back programs was to 
appreciate and acknowledge the loss of access to the network 
that our customers experienced and to address the concerns that 
they may have regarding the loss of their personal information.
    Mr. Stearns. Is it true that you brought suit to protect 
your IP against the hackers of PlayStation III device?
    Mr. Schaaff. That is true.
    Mr. Stearns. Why did you bring this suit?
    Mr. Schaaff. Well, just like the music industry and the 
movie industry, the PlayStation business is built upon 
intellectual property. Content providers invest millions of 
dollars to create titles that we then help them to distribute 
in our business and the employment of literally tens of 
thousands of people around the country.
    Mr. Stearns. Knowing what has happened to you with this 
breach, would you say that you would do it again?
    Mr. Schaaff. I am sorry. I didn't hear the question.
    Mr. Stearns. Knowing what has happened with this breach, 
would you go ahead and have done that suit again in hindsight?
    Mr. Schaaff. Well, I think this is one of the great 
challenges right now is how do companies protect their content 
businesses? I mean I think we made the right decision. Did it 
have consequences? It appears to have had some fairly negative 
consequences for the company. But if we hadn't done something, 
I think it would be playing out in a different company later 
on.
    Mr. Stearns. OK.
    Mr. Schaaff. I think this is a big issue for the Nation.
    Mr. Stearns. Now, assuming we have federal legislation, do 
you think federal legislation to address security breaches 
would help? Because I understand both of you are in States 
where we have state legislation and that didn't seem to 
necessarily force you to have a secure data security 
department. So why would federal legislation make it better 
than the States who have already passed? And you didn't comply, 
evidently, with the States.
    Mr. Schaaff. Well, actually, I think that the issue 
regarding the States' rights--I am not a lawyer. Let me mention 
up front I am not a lawyer.
    Mr. Stearns. Right.
    Mr. Schaaff. But my understanding here is that there are a 
variety of laws in a number of the States, but the laws are 
often seemingly in conflict and they can create very 
complicated situations for us to understand how we should 
behave properly with regard to notification obligations. 
Regarding the security of the network, I think the evidence of 
Epsilon, of Sony, of many other companies that have been 
reported in the news in the last several weeks indicates that 
despite spending millions of dollars to secure your networks, 
despite all of the best methods known to us, our networks are 
not 100 percent protected. It is a process that requires 
continual investment, and we do that, but I think without 
additional support from the government, it is unlikely we will 
all collectively be successful, and that will threaten the 
livelihood of the internet, the growing internet economy.
    Mr. Stearns. Thank you.
    Mrs. Bono Mack. The gentleman's time has expired. The chair 
recognizes Mr. Guthrie for 5 minutes.
    Mr. Guthrie. Thank you, Madam Chairman, for having this 
hearing. I appreciate it very much.
    So just to follow up on what Mr. Stearns said, the 
patchwork of state laws, the different state jurisdictions 
complicated your ability to respond? You didn't say that. Is 
that what I heard?
    Mr. Schaaff. I was responding specifically to the issue 
about the notification obligation.
    Mr. Guthrie. Right, the notification state laws.
    Mr. Schaaff. It is my understanding that there are some 
conflicting obligations there.
    Mr. Guthrie. So a federal standard would be----
    Mr. Schaaff. A federal standard that would preempt the 
states would be extremely helpful.
    Mr. Guthrie. OK. I just want to get kind of the nature--so 
Epsilon is a vendor for you? Is Epsilon a vendor for Sony? So 
did the hacker go to Epsilon into Sony or Sony to Epsilon to 
get to the other--how did that work?
    Mr. Schaaff. I am sorry. Let me clarify. These are actually 
two completely separate breach events.
    Mr. Guthrie. OK.
    Mr. Schaaff. So the activity at Epsilon was completely 
unrelated to--as far as we know--what happened at Sony.
    Mr. Guthrie. So you are not a vendor with Epsilon? This is 
two completely separate--oK. So the other customers--oK. I was 
thinking--I apologize. But your other customers, they came--the 
Epsilon, they got to your system, and then through your system 
were able to--at least the companies that you notified, the 
Verizons, the Krogers that was mentioned earlier, that was how 
that breach worked?
    Ms. Fitzgerald. So as a vendor, our ability to send out 
email addresses on behalf of those clients requires us to 
maintain those email addresses for them.
    Mr. Guthrie. Right.
    Ms. Fitzgerald. And that is how the hackers got in and got 
that information.
    Mr. Guthrie. OK. OK. Has Sony been victim before of any 
type of breach? And if so, how did that--not to this level, I 
know, but----
    Mr. Schaaff. We certainly experience a constant level of 
fraud, and we are under regular probing by hackers and others. 
I mean I think it is a standard part of anybody who is in the 
internet business these days.
    Mr. Guthrie. And for both of you, too, I know I am 
manufacturing background and we did ISO 9000, which was a set 
of standards for quality control. They have ISO 14000, a set of 
standards for environmental--and they are good practices to 
follow, but they leave a lot of interpretation to the 
businesses because otherwise they are formed by committee, and 
it would be difficult to change every time something needs to 
be changed. I am not familiar with this particular standard 
that you are talking about, but is it sufficient if you follow 
the ISO standards to--I guess my question is your industry is 
so fast-changing that when you are in the automotive industry, 
which I am in, you put a standard in place, it takes a while 
for things to innovate that the standard is out of date. It 
appears to me when I saw ISO that it would be difficult for 
them to keep up with the changes in the industry or, I guess 
what I am saying, the ability of people who hack to innovate to 
find new ways into your system. So is it sufficient--I guess 
ISO being certified sufficient, you think?
    Ms. Fitzgerald. We don't use the ISO as the only thing we 
do. We have lots of audits by our clients. We have 70 audits we 
have to do. And then, frankly, we have our own security program 
where we are continually trying to upgrade our systems and to 
make sure that we make things as tight as we can, but the 
hackers are very sophisticated. This wasn't some guy in a 
garage just coming after us. These are sophisticated guys. And 
I have talked to the Secret Service enough times now to know 
that we are not the only one and that they are working with the 
FBI. And there is a concerted effort to go after these guys.
    Mr. Schaaff. Um-hum. Yes, I would concur. I mean I think 
these guidelines and standards are important for the industry 
to move forward, but they are far from sufficient. And if they 
had been sufficient, I, you know, I wouldn't be here. And I 
think that we are all under attack and without additional 
measures to be taken and without kind of constant renewal of 
our practices, it is not going to be sufficient to fight the 
latest attacks.
    Mr. Guthrie. OK. Thank you. I guess one thing that I am 
really kind of concerned about as we move forward, I know 
Sony--any time you spend money because somebody did something 
illegal, that is an inefficiency to everybody. But the two- or 
three-store small business in Kentucky that maintains their 
clients files and just having the resources to be able to 
respond to protect their clients, to protect their customers. 
And just do you have any estimate of how much money just these 
events are going to cost your firm and hits, you know, the 
economy overall because that is what----
    Mr. Schaaff. I believe we have made statements publicly 
estimating a cost something in the range of $170 million for 
this particular incident. And obviously, as you note, for 
smaller businesses, number one, the ability to secure their 
networks as effectively is less because of the economics of 
that. And the evidence that I have seen in various reports 
suggest that the prevalence of successful attacks on small and 
midsize businesses is even higher than we see with the larger 
companies. It is a scary situation.
    Mr. Guthrie. Well, thank you. I yield back to the 
chairwoman.
    Mrs. Bono Mack. I thank the gentleman and the chair notes 
that we are being called to the floor for votes. My intention 
is to try to get through two more member questioning 5-minute 
segments before we recess. So the chair now recognizes Mr. 
Olson for 5 minutes.
    Mr. Olson. I thank the chairwoman. And again, I thank the 
witnesses for coming and giving us your expertise, your time 
today.
    As I stated in my opening statement, my home State of Texas 
experienced a serious and troubling data breach earlier this 
year. Names, addresses, social security numbers, and in some 
cases, birthdates and drivers' license numbers of state 
retirees and unemployment beneficiaries were posted unencrypted 
on a public server. In response, our state attorney general and 
the FBI have launched a criminal investigation into this data 
breach. Unfortunately, these kind of breaches are happening 
more frequently and they cause businesses tens of billions of 
dollars annually. The Federal Trade Commission estimates that 9 
million individuals in the United States have their identities 
stolen every year. This is the equivalent of approximately 17 
identities stolen every minute. That means that during the 
course of this hearing, if all of my colleagues and I take up 
our full 5 minutes, 85 IDs across this country will have been 
stolen.
    In response to the Texas data breach, the comptroller of 
public accounts launched a Web site called Texas Safeguard, 
which was created as a tool for Texans to receive up-to-date 
information about the breach, along with recommended security 
steps to take. And of note, they actually put a toll-free 
number up for folks to call and the comptroller is offering 
credit monitoring at no charge. There is also a frequently-
asked-questions page which outlines six steps people can take 
to protect themselves.
    But this burden is placed upon these victims of this breach 
and they have got to spend their own time enrolling in credit 
monitoring, placing fraud alerts on their credit files, 
requesting credit reports, and so on, and so on, and so on. Ms. 
Fitzgerald, Mr. Schaaff, given the breaches your companies have 
experienced and all the heartache and lost revenue, all the 
upset customers, all the resources you have had to expend to 
determine how these breaches occurred, I don't want to put 
words in your mouth, but you do think that there is a clear 
need for a comprehensive federal data breach and notification 
law, one that will create a uniform standard and preempt the 
current patchwork of state laws? Yea, nay?
    Ms. Fitzgerald. I do believe that it would be great if we 
had a federal data breach notification law that did preempt all 
of the state laws so it would be straightforward and companies 
would know exactly what they needed to take care of and who 
they needed to notify and when they needed to notify?
    Mr. Olson. Mr. Schaaff?
    Mr. Schaaff. Sony is also very supportive of such 
legislation and we would be very happy to participate and help 
in the formation of that legislation.
    Mr. Olson. All right. Thank you. And Ms. Fitzgerald, this 
is just for you, but why did you choose to contact law 
enforcement, the FBI, and the Secret Service as soon as you 
became aware of the incident? And is this a typical response 
for Epsilon to get law enforcement involved when a breach 
occurs when you don't necessarily know the extent of it?
    Ms. Fitzgerald. Well, we knew pretty quickly that there had 
been some data that had been downloaded and taken by somebody 
who wasn't authorized, and therefore, it was a criminal act in 
our mind. And so we went to look for law enforcement, the right 
ones to help us go after the bad guys.
    Mr. Olson. OK. And for you, Mr. Schaaff? I know you and 
PlayStation had one heck of an April. But why did you conclude 
that notifying PlayStation Network customers via the 
PlayStation blog was, as you stated, ``one of the best, 
fastest, and most direct means of communicating with 
customers?''
    Mr. Schaaff. In the years that PlayStation has been in 
business, we have managed this blog and it has become a very, 
very popular source of information for our customers about new 
game titles and all kinds of information related to 
PlayStation. And we know that it is a good way to get a message 
out to customers quickly. Of course, that wasn't the only way 
we communicated with our customers. We did follow up with 
public announcements through other channels, as well as email, 
direct emails to the consumers following the breach.
    Mr. Olson. OK. And one final question about sort of how you 
are prepared for this. I mean I know, Ms. Fitzgerald, for your 
testimony Epsilon had reactive plans in place ready to go if 
some sort of breach happened, and I assume that is the same for 
Sony.
    Mr. Schaaff. Absolutely.
    Mr. Olson. But, I mean, is there a specific entity within 
both of your companies that is proactive? I mean somebody you 
have got in your company that sort of looks at your security 
systems and tries to penetrate it, tries to find the 
weaknesses; I mean sort of a proactive approach instead of 
reacting to a breach, preventing a breach by recognizing 
weaknesses within the company?
    Mr. Schaaff. We have a successful approach the security 
involved both proactive as well as reactive approaches, and we 
definitely have those kinds of resources in place in my company 
and in Sony Corporation as a whole, an important part of our 
process.
    Ms. Fitzgerald. And I would agree with that also. Epsilon 
has that.
    Mr. Olson. OK. I see I am down to 16 seconds. I thank the 
witnesses again for your time. And at the risk of getting 
crosswise with the chairwoman and Mr. Stearns left, but go 
Mavericks.
    Mr. Schaaff. Thank you.
    Mrs. Bono Mack. The chair recognizes Mr. Harper for 5 
minutes.
    Mr. Harper. Thank you, Madam Chair. I would ask you, Mr. 
Schaaff, why did it take Sony approximately 7 days to notify 
customers that their personal data had been compromised?
    Mr. Schaaff. Well, the basic essence here was the find the 
right balance between notifying customers as soon as we had 
some sense that something had gone wrong but not being 
irresponsible in that notification and creating undue stress or 
concern within the customer base. We immediately began an 
investigation and we were able to notify customers within a 
couple of days that we had had an unauthorized external 
intrusion. But it took us several more days to be able to 
clearly discern what information had been taken and even at 
that point, we were not able to rule out the possibility that 
credit card information had been taken. Nevertheless, we went 
ahead and made a public statement regarding the potential of 
those losses.
    Mr. Harper. I just want to be clear. So how long was it 
before any customers got notification?
    Mr. Schaaff. We first discovered unusual activity on the 
19th. We shut down the network on the 20th of April, and we 
notified consumers on the 22nd of April. So it was basically 2 
days.
    Mr. Harper. Did you notify all the consumers at that point?
    Mr. Schaaff. Well, so at that point we were intensely 
involved in this investigation to try to figure out what to 
notify the customers about. And so at that time we notifying 
using the blog that we believed that there had been an 
intrusion. And then beginning on the 26th when we made a lot of 
public announcements related to specific information that may 
have been lose we initiated through news channels, obviously 
our blog, as well as through a direct email campaign to the 
customers detailed information about the nature of the loss.
    Mr. Harper. How many notifications did each consumer 
receive?
    Mr. Schaaff. Well, my understanding is that in regard to 
the Sony PlayStation breach, that should have been 
approximately 77 million emails that were sent.
    Mr. Harper. Now, I understand but were they notified more 
than one time as you learned additional information?
    Mr. Schaaff. Well, we notified via the blog on the 22nd. We 
provide updates on that blog on a regular basis as to kind of 
the concurrent state of affairs, but I believe in terms of the 
email notifications related to the potential loss of data, that 
was a one-time event.
    Mr. Harper. Do you believe the news that you passed on, 
looking back now, do you believe it was done quickly enough?
    Mr. Schaaff. What I would say is that we tried very, very 
hard to find the right balance there, and I believe that if we 
had responded earlier, it would have probably been 
irresponsible. Even to this day we question whether we should 
have taken a little bit more time to finish the investigation 
with regard to the credit card information. I believe we 
probably struck the right balance, but it was a tough call.
    Mr. Harper. And I know there was a letter that was sent out 
on May 3 where you had indicated that there was no evidence of 
misuse of the customers' personal information that was accessed 
during that breach. We are a month past that point. Is that 
still your position on that?
    Mr. Schaaff. When we talked to the credit card companies, 
they have still told us that they see no signs of unusual 
activity related to this breach.
    Mr. Harper. And do you know where the attacks originated?
    Mr. Schaaff. Unfortunately, at this time we don't.
    Mr. Harper. OK.
    Mr. Schaaff. We are working with law enforcement and others 
to try to figure that out, but at this time we don't have any 
clear----
    Mr. Harper. Of course, we certainly hear media reports or 
speculation, and I know you don't have it with any certainty, 
but there was one report that initially suggested that Amazon's 
pay-per-use cloud service may have been used. Is there any 
accuracy to that or any proof of that?
    Mr. Schaaff. Well, so what I know is the FBI is 
investigating that report, and at this time I don't have any 
other information about whether that is true or not.
    Mr. Harper. Now, does Sony Online Entertainment and Sony 
Network Entertainment, are they using the same server models 
and security protections and the software?
    Mr. Schaaff. We comply with the same types of industry 
practices and are subject to the same policies as far as being 
a part of the Sony Corporation. The specific architecture of 
each of those services is probably different because the types 
of services that we provide are different. But, you know, 
across the industry, most internet service providers are 
building their services out of largely the same basic 
components so there is probably a lot of commonality there.
    Mr. Harper. Thank you. Madam Chair, I yield back the 
balance of my time.
    Mrs. Bono Mack. I thank the gentleman. And at this point in 
time we are going to recess the committee to head over to the 
floor for vote. And our intention is to return as soon after as 
we can from the series of votes. It should be about 45 minutes 
is my guess. Things could change. So the subcommittee stands 
recessed until after the last vote on the floor.
    Ms. Fitzgerald. Thank you.
    [Recess.]
    Mrs. Bono Mack. The subcommittee will reconvene and come to 
order obviously. I wanted to thank you very much for indulging 
us and apologize that there has been a slight little change of 
plans with the minority headed over to the White House for a 
very important meeting with the President. We have agreed that 
we would conclude questions.
    But before I do that, I would like to offer the two of you 
the opportunity to give us any final thoughts you might have 
and any recommendations for legislation as we move forward in 
the process here. So I recognize each of you for 5 minutes to 
do that. And you don't have to take the full 5 minutes if you 
would like, but the time is yours if you would like it.
    Ms. Fitzgerald. Thank you. Honestly, as we have thought 
about this, we would greatly appreciate the opportunity to work 
with you and your staff and any members of your subcommittee to 
create a national data breach notification standard. The 
details within it would have to be worked out as we think 
through what would be all the ramifications. And I think 
clearly I would not be the only one with experience, but we 
would love to work with that on you.
    Mrs. Bono Mack. Mr. Schaaff?
    Mr. Schaaff. Thank you. I want to thank you again for the 
opportunity to come and speak today and especially thank you 
for all the work you have done related to intellectual property 
protection. This is a really critical part of the work we are 
trying to do to build and grow our business.
    As you heard in our testimony today and in the private 
session where we shared more technical details regarding the 
breach yesterday, despite taking what we believe to be 
extremely appropriate and substantial steps to build a safe and 
protected network, hackers were able to get into the network. 
The thing that is frightening about this is it is easy to focus 
on Sony and look at the things that we might be able to do in 
the future to strengthen our network, but the reality is 
because we are all building our networks out of the same basic 
ingredients, if there is a weakness in the way that we have 
built things, chances are, the weaknesses may lie in the 
components that we rely on from the variety of vendors that we 
all build our products out of. And I think that we are working 
together as industry to try to strengthen our processes and our 
practices and our technologies, but I think the conclusion that 
I would leave you with today is that without further assistance 
from the government, I think that we are all going to have a 
world of hurt in this internet economy. And we really would 
appreciate and request your assistance.
    And regarding the specific legislation, we are also 
extremely supportive of this and would welcome the opportunity 
to contribute and speak to you further regarding its 
development. Thank you.
    Mrs. Bono Mack. Well, I thank you both very much. And Mr. 
Schaaff, I would also like to address a comment earlier about 
the question of would you or would you not file suit again to 
protect your intellectual property, and I wanted to commend you 
on your answer. And I am glad that you did it then. And you 
know, too often people are afraid of being hacked and the 
retribution because of the decisions you make.
    Mr. Schaaff. It can be a lonely place.
    Mrs. Bono Mack. Well, I want to applaud you for that. And 
again, thank you both very much for the spirit with which you 
came before us today and the spirit of cooperation. I think the 
committee is very excited about the opportunity to work with 
you and to craft good legislation.
    So we have a unique opportunity now as a subcommittee to 
make certain that the future cyber attacks on American 
consumers will never again be a silent crime.
    So at this point I would like to remind all members they 
have 10 business days to submit questions for the record, and I 
ask witnesses to please respond promptly to any questions they 
receive. And the hearing is now adjourned.
    Mr. Schaaff. Thank you very much.
    Ms. Fitzgerald. Thank you very much.
    [Whereupon, at 2:14 p.m., the subcommittee was adjourned.]
    [Material submitted for inclusion in the record follows:]

               Prepared Statement of Hon. Henry A. Waxman

    I would like to thank Chairman Bono Mack and Ranking Member 
Butterfield for following this important issue. Data security 
is not a partisan issue. It is an issue that affects all of us 
because sooner or later everyone is vulnerable to cyber 
attacks: private sector companies of all sizes; federal, state 
and local governments; and the American public.
    Just yesterday, we learned of an attempted attack on Google 
email accounts that included efforts to steal email passwords 
and other information from high-ranking government and military 
officials--a stark reminder of the financial and national 
security risks posed by hackers.
    At last month's hearing titled ``The Threat of Data Theft 
to American Consumers,'' we reviewed how the federal government 
investigates data breaches and what it should do to ensure that 
private sector companies protect the personal information of 
their consumers.
    Today we are going to hear from Sony and Epsilon, two 
companies that recently suffered massive data breaches.
    We have all heard the numbers: the personal information in 
over 100 million user accounts was compromised in the Sony 
breach. The customers of more than 50 major corporations were 
affected by the Epsilon breach, including customers of Target, 
Best Buy, JP Morgan, and US Bank.
    While we will delve into the specifics of these two 
breaches, the point isn't to make an example of these two 
companies. We need to know how these breaches happened and to 
find out what these companies are doing, and what they can do 
better. And we need to understand the appropriate federal role 
in this area. We need a government that can partner with 
companies to make sure they do a better job protecting the 
information they demand of consumers.
    As I said at the last hearing, the private sector can, and 
must, safeguard personal information. If companies do not take 
reasonable steps to guard their data and they suffer a cyber 
attack or data breach, the cost to consumers can be immense.
    When it comes to data security, prevention is the best 
medicine and certainly the cheapest. Yet too many companies are 
not doing enough prevention and consumers are paying the price.
    We in Congress also have a role; we can conduct oversight 
and legislate when needed. The recent attacks on Sony, Epsilon, 
and now Gmail are proof that it is indeed time to legislate. In 
particular, Congress should pass the Data Accountability and 
Trust Act; H.R. 2221 from the 111th Congress.
    The bill requires companies to have reasonable data 
security measures in place and to notify consumers once a 
breach has occurred. It passed the House last Congress with 
strong support from both sides of the aisle. We should take 
swift action to pass it in this Congress.
    I look forward to today's hearing and working together to 
ensure that the private sector is doing all that it can to 
protect the personal information of the American people.
                              ----------                              


               Prepared Statement of Hon. Edolphus Towns

    Thank you Chairman Bono-Mack and Ranking Member Butterfield 
for holding this hearing today on the importance of Data 
Security to our nation. The information age has ushered in a 
new era in technology that offers many Americans the ability to 
access, store and transfer massive amounts of information at 
any given time. With the advent of the internet and the 
advancement of e-commerce, Americans have been able to engage 
in a variety of online activities that require personal 
information to be shared in cyber space.
    Unfortunately more often than not this information is 
compromised by computer savvy individuals that use this 
information to access the identity of their victims. Data 
breaches have become more common in recent years due to the 
massive amounts of personal information that are stored on 
computer servers which many people thought were secure. In 
April of this year Sony Corporation and Epsilon Data Management 
revealed they had been involved in two of the biggest data 
breaches this year. Sony made public that its Play Station 
Network had been breached on April 26th, 2011; however the 
breach took place one week prior to their notification of Play 
Station account holders. The Sony Play Station Network has over 
77 million accounts that were compromised due to this lapse in 
security. It is my hope that this hearing will shed light on 
how this breach was able to take place and why it took a week 
for Sony to notify its account holders.
    Epsilon Data Management LLC is one of the largest email 
marketing companies in the country. Over 40 billion emails are 
sent from this company annually to consumers. On April 1, 2011 
Epsilon revealed that an unauthorized entry to its email system 
had occurred, exposing the personal information of several 
million customers of companies employing Epsilon for marketing 
purposes. Reportedly consumer information had been available 
for months.
    Consumers must feel safe in knowing that the information 
that they share with companies involved in e-commerce is safe 
and secure. The recent data breaches at the Sony Corporation 
and Epsilon Data Management raise questions about what 
protocols are in place to protect consumers against hackers who 
would do them harm. Currently there is no comprehensive federal 
law that requires all companies that hold consumer's personal 
information to implement reasonable measures to protect that 
data.
    I look forward to working with my colleagues on this 
committee to ensure the American people that their personal 
information is kept safe from malicious cyber attacks.
    Thank you madam chair, I yield my time.
                              ----------                              

[GRAPHIC] [TIFF OMITTED] T1258.046

[GRAPHIC] [TIFF OMITTED] T1258.047

[GRAPHIC] [TIFF OMITTED] T1258.048

[GRAPHIC] [TIFF OMITTED] T1258.029

[GRAPHIC] [TIFF OMITTED] T1258.030

[GRAPHIC] [TIFF OMITTED] T1258.031

[GRAPHIC] [TIFF OMITTED] T1258.032

[GRAPHIC] [TIFF OMITTED] T1258.033

[GRAPHIC] [TIFF OMITTED] T1258.034

[GRAPHIC] [TIFF OMITTED] T1258.035

[GRAPHIC] [TIFF OMITTED] T1258.036

[GRAPHIC] [TIFF OMITTED] T1258.037

[GRAPHIC] [TIFF OMITTED] T1258.038

[GRAPHIC] [TIFF OMITTED] T1258.039

[GRAPHIC] [TIFF OMITTED] T1258.040

[GRAPHIC] [TIFF OMITTED] T1258.041

[GRAPHIC] [TIFF OMITTED] T1258.042

[GRAPHIC] [TIFF OMITTED] T1258.043

[GRAPHIC] [TIFF OMITTED] T1258.044

[GRAPHIC] [TIFF OMITTED] T1258.045


                                 
