Sony Playstation Network hack fine should have been higher, argue legal experts

News 25 Jan, 2013

Industry watchers cast their eye over yesterday's ruling by the Information Commissioner's Office.

The Information Commissioner's Office (ICO) recently hit Sony with a fine for one of the largest data breaches of 2011, which has prompted considerable debate within the tech industry.

The Japanese electronics firm Sony was fined £250,000 for the hack on its Playstation Network in April 2011, which resulted in the personal details of more than 77 million people being compromised.

Vinod Bange, a partner in the IT group at international law firm Taylor Wessing thinks the fine should have been higher.

The fine does appear relatively small so it is surprising Sony is appealing.

“If the fine was to really reflect the damning comments made by the Information Commissioners office, then the fine is arguably not as high as it could have been," said Bange.

“It is also arguable that the fine is a mere slap on the wrist compared to the adverse publicity, impact on brand and consumer trust," he added.

The £250,000 fine is half of the maximum penalty the ICO can issue to companies that fall foul of the Data Protection Act (DPA).

Alexander Hanff, an independent privacy campaigner, backed Bange's view on the size of Sony's fine.

"Seeing as the ICO has the power to fine companies up to £500,000, in this instance, I think it would have been absolutely correct to issue the maximum fine," he told IT Pro.

Sony plans to appeal the ruling, stating there is no evidence the compromised data has been used for fraudulent purposes so far.

Nick Pickles, director of the privacy campaign group Big Brother Watch, believes that Sony got off lightly, considering the number of people affected by the breach.

"The fine does appear relatively small so it is surprising Sony is appealing," he said.

"Particularly when the ICO’s investigation found that software was not up-to-date and passwords were not held as securely as they could have been.

“It would be worrying if Sony were able to escape - what is in reality - a modest punishment."

Pickles also remarked on Sony's claim that none of the compromised data was used for fraudulent purposes.

“Given data driven identity crimes now constitute the vast majority of all fraud in the UK it’s not always immediately clear who has been harmed by [these kind of] security breaches," he continued.

"Equally, data compromised from Sony may contribute indirectly to other crimes for years to come. So to argue there has been minimal consumer harm is based on little more than Sony executives crossing their fingers.”

Marc Dautlich, data protection law specialist at legal firm Pinsent Masons, said Sony's appeal could enlighten organisations about the technical measures they must take to prevent data breaches.

"The Sony appeal could be extremely interesting as it may provide an insight into what the ICO considers to be an appropriate standard of security that organisations have to have in place, particularly as it is a case involving a company in the private sector," he said.

Hanff added that, in order to comply with the DPA, Sony should have made sure all of the factors that could have contributed to the breach were covered.

"From what I have read it seems that there were a number of factors involved [in this breach]: weak passwords, non-patched software, poor network security, no encryption," he said.

"At the very least, in order to comply with the Data Protection Act with regards to the safeguarding of data, all of the above needed to be addressed.

"Furthermore, any corporation that is not applying security patches as soon as they become available are behaving negligently," he added.