Following several distributed denial of service attacks on various online networks of the Sony group, the Sony Playstation Network Platform was hacked in April 2011. The attacker was able to access the personal information of millions of customers, including their names, addresses, dates of birth, account passwords and payment card details. The Information Commissioner’s Office (ICO) found that there had been a serious contravention of section 4(4) of the Data Protection Act 1998 (DPA), namely, a breach of the seventh data protection principle, which provides that appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
In assessing the fine at £250,000, the ICO took into account aggravating features like Sony Computer Entertainment Europe’s (SCEE) failure to ensure that appropriate technical measures were in place (like additional cryptographic controls to protect passwords) and its failure to anticipate further attacks and to take appropriate security measures sooner. In mitigation, the ICO found that SCEE had been subject to a focused and determined criminal attack on the Network Platform, even though it should have been anticipated and SCEE had voluntarily reported the breach to the ICO.
The fine sends a clear message to organisations that software needs to be kept up-to-date to protect personal information from computer hackers. Under sections 55A and 55B of the DPA, the ICO may serve a monetary penalty notice of up to £500,000 where there has been a serious contravention of section 4(4) of the DPA and the contravention was of a kind likely to cause substantial damage or distress. This is one of the biggest fines levied by the ICO and is a reminder to businesses that the ICO is toughening its stance on breaches of privacy. Companies need to be very careful about their retention of data and have to have strong and effective measures in place to keep data safe.
Druces LLP can help you on this by advising what protections you need and what your responsibilities are. Please contact Christopher Evans for further information.