InfoLaw Update - February 2013
In this month's issue of InfoLaw, Natalie Ruane our new Infomation law expert, explores the growing willingness of the ICO to impose hefty fines for breach of conduct.
Sony fined £250,000 by ICO
On 24th January 2013 the Information Commissioner’s Office announced that it was fining Sony Computer Entertainment Europe Limited £250,000.00 for its alleged failure to prevent a data leak that occurred in April 2011 following the hacking of Sony’s PlayStation Network gaming platform. Some have hailed this fine as a step forward for the ICO, showing that they are prepared to order significant fines, but is a fine at this level really a deterrent for a multi-national the size of Sony?
Sony’s gaming platform allowed Playstation 3 users to log in and download games and other media, as well as play games against other users. The hacking of this system in April 2011 meant that vast amounts of customer information were potentially put at risk, including names, addresses, email addresses, dates of birth and account passwords. Customers’ card payment details were also at risk, although there is no evidence that the encrypted payment card details were accessed. Back in April 2011 Sony admitted that personal information relating to as many as 77 million people worldwide might have been accessed.
The Data Protection Act 1998 (‘the Act’) which governs how personal data can be handled in the UK sets out eight general principles for data handling. The seventh of these principles and the most pertinent in this decision is that –
‘Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.’
The ICO acknowledge that Sony took some steps to try to prevent its system being hacked, but they were critical of the efforts made, commenting that – ‘The data controller (Sony) failed to ensure that the Network platform service provider kept up with technical developments. Therefore the means used would not, at the time of the attack, be deemed appropriate, given the technical resources available to the data controller’.
This is an interesting comment for the ICO to make in their decision as it implies that when a similar situation arises in the future they will consider the technical expertise and resources of a data controller before deciding what amount to ‘appropriate technical and organisational measures’.
The Act already specifies that the level of technological development and the cost of measures should be taken into account when considering the ‘appropriate’ level of security in light of the harm that could result from mistreatment of the exposed data and the nature of the data put at risk. However, it may offer some reassurance to data controllers that the ICO do not seem minded to hold every organisation to the same standards as they found it reasonable to expect of Sony.
An aggravating feature of the Sony case was that as an organisation they were found to be holding vast amounts of personal data, in potential contravention of the third data protection principle which states that –
‘Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.’
This element of the Sony case therefore serves as a timely reminder to all data controllers that no matter what the size of your organisation it is important to regularly review your data retention policies to ensure that the personal information that you do hold is relevant and necessary'.
Mitigating circumstances were also taken into account in the decision and the ICO did concede that Sony was the subject of a sustained criminal attack, no personal data appeared to have been used for fraudulent purposes and no complaints had been received by the ICO in that regard. Sony was also given credit for voluntarily reporting the breach to the ICO, informing affected customers, offering them a new services package by way of compensation and carrying out substantial remedial work to rectify the problem.
This is not the first time that the ICO has issued a fine, but it is one of the largest. The ICO can in fact issue fines of up to £500,000.00 , but decided not to in this case. The ICO clearly view the penalty imposed on Sony as sufficient and David Smith, Deputy Commissioner and Director of Data Protection at the ICO stated on 24th January 2013 that –
‘The penalty we’ve issued today is clearly substantial, but we make no apologies for that. The case is one of the most serious ever reported to us. It directly affected a huge number of consumers, and at the very least put them at risk of identity theft.’
That said, if Sony pay the fine by 13th February 2013 they can take advantage of a ‘prompt payment’ system and get a reduction of the fine to £200,000.00. In fact Sony has indicated that it intends to appeal against the decision and the deadline for such an appeal is also the 13th February 2013. It may be that Sony will try to pay the discounted fine and appeal simultaneously, but this in itself would involve a challenge to the established rules of the ICO, as this is not currently allowed.
Moving forward it will be interesting to see how the expected Sony appeal unfolds and what further light it sheds on the meaning of ‘appropriate technical and organisational measures’ and whether the fine issued by the ICO is in time reduced or upheld.
Although the ICO defend the fine levied on Sony and view it as high, the reality is that it is not a substantial sum to such an organisation. That said, it does reflect a growing willingness of the ICO to impose fines where warranted and a number of other organisations, such as local authorities and NHS trusts have also been hit with financial penalties, which I am sure were more acutely felt than that imposed on Sony.
If your organisation needs advice on how best to protect itself from potentially breaching the Act then we are here to help. Please contact Natalie Ruane, our Information Law expert on 01228 552222.
About the author
Natalie is a Partner and leads the Employment Law & HR team and specialises in education.
Published: Friday 22nd February 2013
Categorised: Information Law