Sony Monetary Penalty

January 24, 2013

The entertainment company Sony Computer Entertainment Europe Limited has received a monetary penalty of £250,000 from the Information Commissioner’s Office (ICO) following a serious breach of the Data Protection Act.

The penalty comes after the Sony PlayStation Network Platform was hacked in April 2011, compromising the personal information of millions of customers, including their names, addresses, email addresses, dates of birth and account passwords. Customers’ payment card details were also at risk.

An ICO investigation found that the attack could have been prevented if the software had been up-to-date, while technical developments also meant passwords were not secure.

David Smith, Deputy Commissioner and Director of Data Protection, said:

“If you are responsible for so many payment card details and log-in details then keeping that personal data secure has to be your priority. In this case that just didn’t happen, and when the database was targeted – albeit in a determined criminal attack – the security measures in place were simply not good enough.

“There’s no disguising that this is a business that should have known better. It is a company that trades on its technical expertise, and there’s no doubt in my mind that they had access to both the technical knowledge and the resources to keep this information safe.

“The penalty we’ve issued today is clearly substantial, but we make no apologies for that. The case is one of the most serious ever reported to us. It directly affected a huge number of consumers, and at the very least put them at risk of identity theft.

“If there’s any bright side to this it’s that a PR Week poll shortly after the breach found the case had left 77 per cent of consumers more cautious about giving their personal details to other websites. Companies certainly need to get their act together but we all need to be careful about who we disclose our personal information to.”

Following the breach, Sony has rebuilt its Network Platform to ensure that the personal information it processes is kept secure.

View a copy of today’s monetary penalty notice (redacted document), which includes further details about the case. The following aggravating and mitigating features are worth highlighting (thanks to Michelle Morgan of Hill Dickinson for the precis):

Aggravating

  • The contravention was considered serious because of the nature and vast amount of personal data placed at risk.
  • The ICO found that Sony should have been aware of the vulnerability of its network platform (following the previous DDoS attacks) and should have acted sooner to protect the personal data.
  • Sony is part of a multi national group of companies with sufficient resources to address security issues.

Mitigating

  • It was noted that Sony was subject to “a focused and determined criminal attack” and it had taken steps to secure some aspects of the network platform.
  • The compromised personal data is unlikely to have been used for fraudulent purposes and no complaints have been received by the ICO.
  • Sony was noted to have been fully cooperative with the ICO, including voluntarily reporting the contravention to the ICO.  It has also taken “substantial remedial action” including informing the affected data subjects and offering reparation where appropriate.
  • The ICO noted that the security breach had had a significant impact on Sony’s reputation. 
  • Following the breach, Sony has rebuilt its network platform to ensure that the personal information it processes is kept secure.

Michelle Morgan,  Solicitor, Commercial Team, Hill Dickinson LLP comments: 

Given the seriousness of the breach, and the size and financial resources of Sony, it is perhaps surprising that the ICO did not take this opportunity to use its powers to issue a maximum penalty of £500,000 against Sony.

Nevertheless, this monetary penalty should serve as a reminder to all organisations (public and private sector) that they must ensure that appropriate and effective security measures are applied to personal data stored on their computer systems.  The ICO appears to have looked carefully at the impact that the negative publicity had already had on Sony and, as such, it also highlights the impact that a security breach can have, which can include serious reputational damage as well as the risk of a substantial monetary penalty.

This case also emphasises that, in the event of a breach, data controllers are strongly advised to consider making a voluntary notification to the ICO where appropriate and to co-operate fully with the ICO, as this may be taken into account by the ICO as a mitigating factor.  As with a number of other penalty notices, the co-operation of the data controller and the remediation steps taken are likely to have reduced the amount of the penalty.

Laurence Eastham comments:

This is a strange instance of one law for the rich and another for the poor. Normally that’s a guarantee that the poor are being downtrodden but this time it’s the rich; I am amazed to discover that I feel just a little sympathy for Sony. It is hard to believe that a smaller company would have received a monetary penalty when it was very much more victim than offender. Indeed, the logic behind the serving of the monetary penalty is that Sony was in breach of its obligations under the DPA prior to the leak. If you think the ICO would in fact have served a penalty on a casual/invited inspection because Sony were not quite up to the mark technically, please send me some of your drugs. Moreover, so far as one can tell from the heavily redacted monetary penalty notice, nothing really crucial was lost.

Still, it is hard to argue with the point that a company with Sony’s resources should always be absolutely up to date with technical security. The penalty, though large by some standards, would not make a US regulator salivate and it is scarcely likely to embarrass Sony financially.

I am sure that the Sony story will be the hook on which a million security scare stories will be pegged – no doubt I will be receiving some before the day is out. The sad truth for law firms is that the scare is probably justified. You may not have Sony’s resources but the nature of the information you hold means that you too are under an exceptionally heavy burden to protect your firm’s data and are really required to keep bang up to date technically. You may have to loosen the reins on your IT security budget to do so.