The ICO has “fined” Sony £250k for its Playstation Network breach.
My swiftly-grabbed breakfast coffee yesterday morning was interrupted by an emailed press release from the Information Commissioner’s Office (ICO) informing us that a civil Monetary Penalty Notice (MPN) in the sum of £250,000 had been served on Sony Computer Entertainment Europe Limited by the ICO. It was such an important case it was celebrated by a rare foray into video by the ICO’s David Smith. This was the outcome of investigations into a data security breach in April 2011 which had, in the ICO’s words, the effect of
compromising the personal information of millions of customers, including their names, addresses, email addresses, dates of birth and account passwords. Customers’ payment card details were also at risk
An MPN is served under section 55A of the Data Protection Act 1998. One can be served where the ICO determines that there has been a serious contravention of the Act, of a kind of a kind likely to cause substantial damage or substantial distress, and the data controller knew or ought to have known that there was a risk a contravention of this type would occur, but failed to take reasonable steps to prevent it.
There is a right of appeal against both the MPN itself, and the amount, to the First-tier Tribunal (FTT). Rather to my initial surprise Sony swiftly announced they were lodging an appeal. I had noticed that there were very large parts of the ICO’s formal MPN document that were blacked out. See
and
Even figures such as the estimated worldwide number (in millions) of PS Network users were redacted. I had a suspicion that some sort of negotiation might have taken place between the ICO and Sony, whereby the former would willingly redact everything the latter asked for, if the latter accepted their punishment. The announcement that they would appeal showed how I should be wary of my suspicious nature*.
Sony say
the ICO recognises Sony was the victim of “a focused and determined criminal attack,” that “there is no evidence that encrypted payment card details were accessed,” and that “personal data is unlikely to have been used for fraudulent purposes” following the attack on the PlayStation Network.
This seems to miss the point that section 55A does not require the ICO to determine that harm has occurred, only that the contravention was likely to cause substantial damage – or distress. As the ICO points out, thousands of people had their personal details (names, address, dates of birth and account password)s were compromised. The risk of identity theft existed, and, as the ICO points out, continues to exist. However, a question does arise as to how serious the breach was.
Last week the FTT handed down judgment in an unsuccessful appeal of a previous MPN served on Central London Community Healthcare NHS Trust (for a detailed analysis of that case, see Robin Hopkins’ piece on the Panopticon blog) . As a result of this we now know a bit more both about the ICO’s procedures in serving MPNs and the FTT’s likely approach to any further appeal. We know (paragraphs 37 and 38) that the FTT will conduct in effect a de novo hearing of the facts, and permit itself, where appropriate, to substitute its own view for the ICO’s, but that it will be likely to afford a degree of deference to the ICO’s views, given his expertise in DPA matters. We know (paragraph 39) that the FTT could increase the amount of the MPN. We also know that £250,000 marks the border between what the ICO sees as a “very serious” type of breach and the “most serious” type. One suspects Sony will be asking the FTT to consider whether this breach, which potentially affected a huge number of people, but which did not involve sensitive personal data, was as serious as the ICO treated it.
Personally, I think it was – the sheer numbers, and fact that this data is still out there, perhaps being sold and traded to crooks and spammers, make it so. Although the FTT could take a different view, Sony could well be living in the land of make believe.
One final point. Some have suggested that the ICO has traditionally been unwilling to take on the large private sector organisations when it comes to data protection enforcement. The suspicion has been that he is reluctant to risk lengthy and costly challenges. With this action, the ICO gives (at least a little bit of) lie to that. It would be a real shame if a lengthy and costly challenge ensues. We don’t want the ICO to whisper “I told you so”, do we?
*Actually, my suspicious nature makes me wonder if they will ultimately pursue the appeal. Although it will cost them nothing, this isn’t about cost, but reputation, and do Sony really want to risk another day of bad headlines about their data security, in the event that they lose the appeal?
