Hacked off? Millions of PlayStation network customers around the world must have been when criminals hacked into Sony’s network in 2011, compromising their personal data. The UK Information Commissioner’s Office saw this security breach as “probably the most serious” ever reported to the ICO. In January 2013 the ICO fined Sony Computer Entertainment £250,000 for failure to comply with UK data protection law – the largest fine yet imposed by the ICO on a private company.
The case could not be more topical: in recent months there have been a string of high-profile security breaches on US technology and media organisations. At the start of February 2013, a quarter of a million Twitter users had their passwords reset after “sophisticated”[i] hackers broke into Twitter’s database and may have stolen user names, emails and encrypted passwords. Only two weeks previously, Apple and Mozilla turned off Java by default in their browsers after security breaches on the websites of the Wall Street Journal and the New York Times.
Such security breaches clearly cause massive embarrassment and negative publicity for the organisations concerned. But under the UK data protection framework, significant financial penalties can also be imposed by the ICO for serious contraventions of UK data protection law. The Sony case is now a leading example, and is an object lesson for technology and media organisations that process personal data on an international scale.
The UK Data Protection Act 1998 (DPA) sets out eight data protection principles. Any person who determines the purposes of processing of personal data is “data controller” and must comply with the principles[ii]. The seventh principle requires “appropriate technical and organisational measures” to be taken against “unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data”[iii].
The measures must ensure a level of security appropriate to (a) the “harm that might result” from such processing, loss, destruction or damage and (b) the “nature of the data”, in light of “the state of technological development and the cost of implementing any measures”[iv].
Since April 2010 the ICO has had the power to impose a fine of up to £500,000 for a serious breach of the data protection principles[v]. The breach must be “of a kind likely to cause substantial damage or substantial distress”, and the data controller must have either: (a) deliberately breached the principles; or (b) known (or ought to have known) that there was a risk that the breach would occur (and that the breach would be of such a kind), but failed to take reasonable steps to prevent the breach.
In January 2012 the ICO produced additional guidance on its approach to serious data security breaches[vi], citing the following as factors that make the imposition of a fine more likely:
|•||personal data of a sensitive nature;|
|•||a lengthy and extensive breach;|
|•||a large number of individuals actually or potentially affected by the breach;|
|•||relevance to an issue of public importance; and|
|•||deliberate or negligent behaviour on the part of the data controller.|
So it is clear that a high standard of care is expected on the part of the data controller, and wilful or negligent acts or omissions relating to potential security flaws make a data controller more likely to be exposed to fines.
The PlayStation case
In April 2011 Sony’s PlayStation Network Platform was subject to several “distributed denial of service” attacks, in which an anonymous hacker gained access to personal data stored on the platform, including millions of customers’ names, addresses, email addresses, dates of birth and account passwords. The attacks compromised the personal data of millions of customers on the platform, which could have included customers’ payment card details (although there was no evidence that payment card details were accessed). The platform covered Europe, the Middle East, Africa, Australia and New Zealand. It was administered and maintained by a US service provider, which was part of the Sony group of companies.
The ICO found that Sony, as the data controller, failed to ensure that the platform service provider kept up with technical developments. So the means of security used would not, at the time of the attack, be deemed appropriate, given the technical resources available to Sony. It was found to be very likely that the hacker gained access to the platform through a vulnerability that Sony failed to address, even though appropriate updates were available. The ICO criticised the lack of additional cryptographic controls to protect passwords. In addition, various online networks of the Sony group had been subjected to several similar attacks before the attack on the PlayStation platform, and Sony ought to have taken appropriate security measures to prevent further attacks. Accordingly, the ICO concluded that Sony knew (or ought to have known) that there was a risk of a security breach which was likely to cause substantial damage or substantial distress[vii].
In assessing the level of the fine, the ICO highlighted a number of aggravating factors, including:
|•||the nature and amount of personal data; and|
|•||the facts that:|
|•||other online and offline accounts of customers could have been placed at risk;|
|•||Sony should have been aware of the vulnerability of the platform and have acted sooner to address such vulnerability (particularly as Sony is part of a multi-national group of companies with sufficient resources to address security issues); and|
|•||Sony had sufficient financial resources to pay a fine up to the maximum, without causing undue financial hardship.|
The fact that no actual harm appears to have been done was irrelevant: the potential for damage or distress to data subjects was sufficient, even if just the possibility of wider access to their personal data as a result of the breach. In a press release accompanying the Monetary Penalty Notice, David Smith, the Deputy Commissioner and Director of Data Protection, observed that the case “directly affected a huge number of consumers, and at the very least put them at risk of identity theft.[viii]” The ICO’s concern here is understandable: data-driven identity theft may not become immediately clear, and so the true effects of such a breach may not be felt for some time.
The DPA did not, however, issue the maximum penalty, in light of certain mitigating factors. Those included the facts that:
|•||Sony had been the object of a “focused and determined criminal attack”;|
|•||the personal data were unlikely to have been used for fraudulent purposes;|
|•||Sony had voluntarily reported the breach to the ICO;|
|•||the data subjects were informed, and reparation was offered where appropriate; and|
|•||Sony co-operated fully with ICO in its investigation.|
At the time of writing, Sony has been reported as stating that it “strongly disagreed” with the ICO’s ruling and was planning to appeal against it. A data controller can appeal to the General Regulatory Chamber of the First-tier Tribunal against the imposition of a fine and/or its amount[ix]. The appeal must be served within one month of the ruling, unless the Tribunal extends the period for service. The Tribunal will allow an appeal if it considers that: (a) the penalty notice is not consistent with the law; or (b) in cases involving ICO discretion, the ICO should have exercised its discretion differently.
Underlying this decision is the ICO’s objective of promoting compliance with the DPA and reinforcing the need for appropriate and effective security measures[x]. For many years DPA enforcement was commonly perceived as lacking “teeth”. Plainly, the bark is no longer worse than the bite: the ICO’s determination to enforce compliance is illustrated by the level of fine imposed on Sony.
While several commentators have in fact seen the fine as lower than expected, it remains a significant sum. Besides, in setting the level of the fine, the ICO took the mitigating factors into account, which also included the “significant impact on reputation” resulting from the security breach. That could itself cause loss of consumer and/or investor confidence, and ultimately loss of custom and even brand damage.
This leaves little room for complacency. First, prevention remains better than a cure in the context of data security: data controllers should be increasingly vigilant about the ubiquitous threat of data security breaches, and the effectiveness of security should be regularly monitored in the light of the data security “arms race” against increasingly sophisticated hackers. Secondly, if a serious breach does occur, data controllers should act quickly and efficiently in dealing with it, including a prompt report to the ICO, alongside other steps to mitigate any potential damage or distress to the data subjects concerned.
The Sony case also has significance at an international level. Multi-national companies like Sony may be based in jurisdictions with a less stringent data protection regime (such as the USA). In practice, this can seem to make them vulnerable to falling foul of data security requirements in jurisdictions with more stringent requirements. This risk underlines the need for any organisation that processes large amounts of personal data on an international scale to implement robust data security practices, as well as to review them for compliance with local data protection laws in each country of operation.
Ed Baden-Powell and Luke Anthony
Article written for the World Data Protection Report
[i] According to Bob Lord, Twitter’s director of information security.
[ii] DPA, s. 4(4).
[iii] DPA, Sch. 1, Pt I.
[iv] DPA, Sch. 1, Pt II, para. 9.
[v] DPA, s. 55A.
[vi] The guidance was issued under s. 55C(1) of the DPA and can be found at:
[vii] See paragraphs 6, 9 and 10 of the Monetary Penalty Notice of 14 January 2013, which is available on the ICO website at: http://www.ico.gov.uk/enforcement/~/media/documents/library/Data_Protection/Notices/sony_monetary_penalty_notice.ashx.
[ix] DPA, s. 48.
[x] As spelled out in the “other considerations” cited in the Monetary Penalty Notice.