By Gautham Nagesh - 04/13/11 04:33 PM EDT
At Tuesday's hearing in front of a Senate Judiciary Crime subpanel, Blumenthal asked a representative from the Secret Service whether firms like Epsilon should have a greater obligation to prevent and respond to major data breaches.
The marketing firm was hit by an attack that reportedly revealed the names and email addresses of customers at a number of large e-commerce sites.
Pablo Martinez, deputy special agent in charge of the Secret Service's Cyber Crime Operations, replied that a national data breach law is needed to replace the 47 separate state laws in place, each with their own notification requirements.
The letter states that while the hacking of Epsilon appears to be a clear violation of the CFAA, there is more ambiguity in instances when users exceed their authorized access on a device, particularly if there is no document laying out the scope of that authorization. That makes it unclear whether unauthorized sharing of user data by app-makers constitutes a violation of the law.
"Because many smartphone apps lack privacy policies, many of the applications being investigated by the U.S. Attorney's Office may fall into this legal gray area," the senators wrote.
"We write to ask the Department to clarify how it determines the scope of authorization under the CFAA in the absence of a written policy or agreement addressing the issue."
The senators also urge DOJ to clarify to all prosecutors that the CFAA protects smartphones and other electronic devices in addition to traditional desktop and laptop computers, adding that doing so would "help U.S. Attorneys and Department officials recognize and stop violations of the CFAA's modest protections."
This story was updated at 11:14 p.m. on April 14, 2011 to clarify the Senators' request.