On January 24, 2013, the UK Information Commissioner’s Office (“ICO”) announced that it has fined Sony Computer Entertainment Europe Limited £250,000 (approximately $390,000 US) as a result of the 2011 data breach of the Sony PlayStation Network (“PSN”).
In April 2011, Sony announced that it suffered a series of data breaches on the PSN and Sony Online Entertainment affecting up to 101.6 million records. This included customer name, address, email, date of birth, login/password information, online identification, purchase history, billing address, and password security questions. It also included up to 12 million unencrypted credit card numbers.
Under the UK Data Protection Act 1998, a data controller, such as Sony, must comply with the data protection principles so that personal information is:
- Fairly and lawfully processed;
- Processed for limited purposes;
- Adequate, relevant and not excessive;
- Accurate and up to date;
- Not kept for longer than is necessary;
- Processed in line with your rights
- Secure; and
- Not transferred to other countries without adequate protection.
As described in its Monetary Penalty Notice, the ICO can issue a fine up to £500,000 for a “serious contravention” of these data protection principles.
Sony faced U.S. Congressional scrutiny shortly after the 2011 breach. However, Sony representatives declined to testify before the U.S. House Commerce Subcommittee in a hearing on comprehensive federal data security and data breach notification legislation. Also, private class action litigation against Sony arising from the data breach is still pending.
Businesses with a global customer base (online or otherwise) should be mindful of the privacy and data security obligations triggered by collecting personal information from consumers around the world.