Congress Is Officially Paying Attention to the Epsilon Breach
Franken chairs the subcommittee on privacy, and says he wants to explore the situation, which could be the first hint that he wants to hold hearings.
He’s not the only person in Congress making noise about it. Sen. Richard Blumenthal, a Democrat from Connecticut, has asked Attorney General Eric Holder to investigate Epsilon for “possible civil and criminal liability.” There’s also talk of hearings on the matter in the House. On top of that, state attorney generals in Rhode Island, Iowa, Nevada and Oregon have started warning consumers in their state about the dangers of clicking links in suspicious emails that may emerge in the coming days. I’ve pasted Blumenthal’s letter below.
Shares in Epsilon parent Alliance Data Systems rose more than one percent today as concern among investors around the business unit that was responsible for 22 percent of its revenue last year seems to have abated for the moment. The company will report quarterly earnings on April 21, and we’re hoping management takes the opportunity to be forthcoming with more details about how the breach happened.
April 6, 2011
The Honorable Eric H. Holder, Jr.
Attorney General of the United States
United States Department of Justice
950 Pennsylvania Avenue, NW
Washington, DC 20530-0001
Dear Mr. Attorney General:
I am writing to formally request an expedited investigation into possible civil and criminal liability, and to highlight key issues to consider in the course of that investigation, concerning recent reports of a major data security breach involving Epsilon, an internet email marketing firm.
On April 1, 2011, Epsilon reported that it had experienced a security breach of its database of customer names and email addresses which it collects from various companies, including many retail and financial firms. The company has not specified how many consumers have been affected by the security breach. Epsilon has not provided a list of companies affected. While some of Epsilon’s client companies have notified their customers of the breach, other consumers may be unaware that their names, email addresses and other potentially identifying information may be at risk.
I believe that immediate notification to all customers is vital to protect them – and enable them to protect themselves – from identity theft. Despite claims by Epsilon that only the names and email addresses of individuals may have been compromised by this security breach, I ask that your review of this incident determine whether individually identifiable financial information has been compromised. Names and email addresses would allow unscrupulous actors to send emails to consumers – ostensibly from the retailers which whom the consumer does business – seeking private financial information such as credit card numbers or checking or banking accounts.
I believe that affected individuals should be notified and provided with financial data security services, including free access to credit reporting services, for two years, the costs of which should be borne by Epsilon or its affected clients. I believe it is also necessary to provide every affected individual with sufficient insurance to protect them against possible financial consequences of identity theft.
Consumers deserve more complete information on the data breach, as well as the assurance that their personal financial information will be securely maintained. If personal financial information has been compromised as a result of this incident, Epsilon should be required to provide written notification of the breach, specific information about the data that may have been improperly accessed by third parties, and personal information security protection, including free access to credit reporting services, and insurance for two years.
Thank you for your attention to this important issue and for your continued work on behalf of the American public.
United States Senate