The Information Commissioner's Office (ICO) has announced that it will be fining electronics giant Sony £250,000. This follows an investigation carried out by the ICO into a data security breach which took place in April 2011, when the Sony Playstation Network was hacked, putting the personal data of millions of Sony customers at risk of identity theft. The ICO has the power to impose fines of up to £500,000 for the most serious breaches of the Data Protection Act, though the vast majority of the fines which have been imposed to date have been against public sector organisations.In deciding upon a suitable penalty, the ICO took into account various factors, including the scale of the breach, the number of customers whose details were at risk and the failure on the part of Sony to have in place up to date security systems. David Smith, the Deputy Data Commissioner and Director of Data Protection, commented as follows:
"There’s no disguising that this is a business that should have known better. It is a company that trades on its technical expertise, and there’s no doubt in my mind that they had access to both the technical knowledge and the resources to keep this information safe. The penalty we’ve issued today is clearly substantial, but we make no apologies for that. The case is one of the most serious ever reported to us. It directly affected a huge number of consumers, and at the very least put them at risk of identity theft."Sony has issued a response to the ICO's decision, stating that they 'strongly disagreed' with the ICO's position and stressing the improvements in data security which have been made in the wake of the breach. Sony has indicated that it will appeal the level of the fine imposed by the ICO.
It is interesting to note that the ICO appears to have taken the technical expertise of Sony into account when deciding on the level of sanction to impose. The Data Protection Act requires organisations to put in place adequate security measures to protect personal data. When deciding on the security measures to be implemented organisations must ensure that measures are appropriate given the harm that could ensue if data security is breached and the nature of the data to be protected, having regard to the state of technological development and the costs of implementing the measures.The ICO cited that one of the aggravating factors in the Sony case was the fact that Sony is part of a multi-national group of companies with sufficient resources to address security issues. The Sony case clearly signals that where an organisation has technical expertise at its fingertips and/or significant resources to draw upon, the ICO will expect those resources to be deployed to ensure that personal data is kept securely.
The action taken by the ICO is also a reminder that all organisations (both public sector and private companies) should take appropriate care of any personal data in their possession. Failure to do so can not only lead to action being taken by the ICO, but also can cause serious damage to an organisation's reputation.This publication is intended for general guidance and represents our understanding of the relevant law and practice as at January 2013. Specific advice should be sought for specific cases; we cannot be held responsible for any action (or decision not to take action) made in reliance upon the content of this publication.