The fallout continues from the massive security breach of Sony’s online PlayStation Network (PSN) in April of 2011, where the network was shut down for over three weeks following an external hack that compromised the personal financial data of almost seventy-seven million user accounts. Recently, the United Kingdom’s Information Commissioner’s Office (ICO) levied a £250,000 ($396,000) fine on Sony for violating the country’s Data Protection Act, calling the breach “preventable” had Sony properly strengthened PSN’s security.
The Data Protection Act 1998 is the governing legislation in the United Kingdom on the “…processing of information relating to individuals, including the obtaining, holding, use or disclosure of such information.” Passed to bring the UK into line with the European Union’s data protection directive of 1995, the DPA spells out the conditions under which personal data can be collected, accessed, stored, and transmitted under UK law. The DPA establishes eight separate principles for data protection, the seventh of which states that “Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.” It is this principle that, in the eyes of the ICO, Sony violated as evidenced by the PSN breach.
According to David Smith, Deputy Commissioner and Director of Data Protection for the ICO, the significant amount of personal financial data that Sony possessed in operating PSN, as well as its reputation for technological skill, placed a high obligation on Sony to act responsibly in protecting that data. “[T]here’s no doubt in my mind that [Sony] had access to both the technical knowledge and the resources to keep this information safe. The penalty we’ve issued today is clearly substantial, but we make no apologies for that. The case is one of the most serious ever reported to us. It directly affected a huge number of consumers, and at the very least put them at risk of identity theft.”
Sony released a statement after the fine was announced, in which they “strongly disagreed” with the ICO and announced plans to appeal. Sony claims in their defense what the ICO acknowledges, that Sony was the victim of “a focused and determined criminal attack”, and takes the position that “there is no evidence that encrypted payment card details were accessed”, going further to claim that any “personal data [accessed in the breach] is unlikely to have been used for fraudulent purposes”.
Sony’s appeal could possibly face complications in light of advancing changes in the European Union regarding data protection. American and European companies are waging a lobbying war against the EU’s recently released draft revisions to the 1995 data protection directive, which would dramatically increase individual protections as well as the maximum amount of fines to which violators are subject. As a member state of the EU, the United Kingdom is required to bring its laws in line with that of the larger organization, as evidenced by the existing DPA under which Sony has been fined. If Sony wants to fight the case, they may well wish to move quickly lest their exposure for the breach grows even worse.