Keywords: UK ICO, penalty, security breach, personal data

The UK Information Commissioner's Office (the "ICO") has fined Sony £250,000 for what it describes as "one of the most serious" cases ever reported to it following a breach of security of its PlayStation Network Platform (the "PlayStation Platform").

In April 2011, a group of hackers attacked a part of the PlayStation Platform maintained by Sony Computer Entertainment Europe Limited ("SCEE"), a European subsidiary of Sony, which led to the exposure of personal data relating to millions of its customers in Europe, the Middle East, Africa, Australia and New Zealand. The information accessed by the attackers included customers' names, physical and e-mail addresses, dates of birth, account passwords and, in some cases, credit card details. Attempts had been made by the same group of hackers to infiltrate Sony's systems previously, but while SCEE had security measures in place to protect its customers' personal data, SCEE had failed to update its security measures, leaving the PlayStation Platform vulnerable to such attacks.

Following its investigation, the ICO determined that Sony had not complied with its obligations under the Seventh Data Protection Principle of the Data Protection Act 1998. The Seventh Data Protection Principle requires that:

"Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data".

The ICO found that SCEE had failed to ensure that appropriate technical measures were taken against unauthorised or unlawful processing of personal data stored on its servers.

While the maximum penalty the ICO could have issued is currently capped at £500,000, the ICO has been steadily increasing the size of fines it has issued for breaches of Data Protection Principles over the last few years, with penalties now often reaching six figure sums. This case is no exception. David Smith, Deputy Commissioner and Director of Data Protection expressed his view that:

"The penalty we've issued [...] is clearly substantial, but we make no apologies for that. The case is one of the most serious ever reported to us. It directly affected a huge number of consumers, and at the very least put them at risk of identity theft."

The ICO acknowledged that it took several mitigating factors into account when determining the severity of the penalty to impose on Sony, including that:

  • The attack was conducted by a determined group of professional hackers;
  • SCEE did have security measures in place, even though those measures were not sufficient in the ICO's opinion;
  • SCEE has since completely rebuilt the PlayStation Platform; and
  • SCEE informed its customers about the attack and offered to compensate them.

This latest fine demonstrates that any breach of security, even when quickly rectified, can lead to substantial penalties being imposed by the ICO if the ICO determines that there has been a significant breach of the Data Protection Act 1998. Organisations that process consumers' personal data need to remain vigilant and verify that they protect personal data with the latest appropriate security measures on a regular basis. Sony has indicated that it intends to appeal this decision.

Originally published on 30 January 2013.

Visit us at mayerbrown.com

Mayer Brown is a global legal services provider comprising legal practices that are separate entities (the "Mayer Brown Practices"). The Mayer Brown Practices are: Mayer Brown LLP and Mayer Brown Europe – Brussels LLP, both limited liability partnerships established in Illinois USA; Mayer Brown International LLP, a limited liability partnership incorporated in England and Wales (authorized and regulated by the Solicitors Regulation Authority and registered in England and Wales number OC 303359); Mayer Brown, a SELAS established in France; Mayer Brown JSM, a Hong Kong partnership and its associated entities in Asia; and Tauil & Chequer Advogados, a Brazilian law partnership with which Mayer Brown is associated. "Mayer Brown" and the Mayer Brown logo are the trademarks of the Mayer Brown Practices in their respective jurisdictions.

© Copyright 2013. The Mayer Brown Practices. All rights reserved.

This Mayer Brown article provides information and comments on legal issues and developments of interest. The foregoing is not a comprehensive treatment of the subject matter covered and is not intended to provide legal advice. Readers should seek specific legal advice before taking any action with respect to the matters discussed herein.