Want to know what happens when one of the world's leading consumer brands fails to adequately protect its users' data?
We all read with interest the issues which beset Sony's playstation network platform last year when it was illegally hacked after a security vulnerability was exposed and exploited by hackers through a series of 'denial of service' attacks.
At the time, users were concerned about their data & annoyed about the consequences of the breach (particularly, the unavailability of the platform over the Easter weekend and Sony's handling of communications regarding the breach). Sony executives eventually made a public apology about the incident and set out about rebuilding the platform to increase the security of its users' data.
Millions of users' details including names, addresses, dates of birth and account passwords were compromised together with payment details as a result of the hackers' exploitation of the security vulnerability in the platform.
What's Happened Now?
Fast forward nine months...the ICO has today confirmed that it has issued Sony with a 250k fine for Sony's breach of the seventh principle (broadly, an obligation to use appropriate security measures to safeguard users' personal data).
Why Does It Matter To Me & My Organisation?
The fine will grab headlines in the UK and around the world due to the fact that it involves Sony, but in data protection compliance terms, it's simply another example of the recurring issue of security.
To date, all but one of the ICO's fines relates to a security breach and this is yet another example of the ICO taking action in circumstances where the data controller has failed to comply with the seventh principle - in this case, due to Sony's alleged failure to apply software updates to protect user data and developments in technology which rendered user accounts insecure.
The focus of the ICO's attention in this case is concerning - how many other organisations are using IT systems with known vulnerabilities due to delays in implementing new software releases, often due to budget issues or conflicting priorities?
Again, a key theme (and requirement of the seventh principle) is for data controllers to apply security measures which:
- Have regard to the state of technological development.
- Ensure a level of security which is appropriate to the nature of the data which it is designed to protect and the harm that might result from unauthorised use of that data.
The key point here is that this is an ongoing obligation and organisations need to have processes in place to continually assess the adequacy of their technological security measures to ensure that they continue to satisfy these requirements.
Anything Else I Should Know?
Whilst the fine is no doubt embarassing for Sony and will be damaging to its brand as a result of the press attention which the ICO fine will generate, it could have been worse.....
- Under current UK law, Sony could have been fined upto £500k - given the ICO's comments that this is an example of the most serious type of breach by a trusted technology provider that should have been able to better protect its users' data, one wonders why the fine was set at half the potential level that could have been applied; and
- Under the proposed General Data Protection Regulation, the fine could have been up to 2% of annual global turnover (and it therefore serves as another timely reminder of why organisations should take steps now to prepare themselves for the new Regulation).
It may get worse still for Sony as other data protection regulators in other jurisdictions continue their own investigations into the breach including the Data Protection Commissioner in Ireland.
Sony firmly disagrees with the ICO's fine and has stated that it plans to appeal....we'll keep you posted on any developments.