---
title: "UK ICO Fines Sony £250,000 After 2011 Data Breach"
date: 2013-01-31T09:33:00-05:00
author: Import Bot
canonical_url: "https://www.kelleydrye.com/viewpoints/blogs/ad-law-access/uk-ico-fines-sony-250000-after-2011-data-breach"
section: Blog Posts
---
# UK ICO Fines Sony £250,000 After 2011 Data Breach

 January 31, 2013

 

 

 

 

 

 

On January 24, 2013, the UK Information Commissioner’s Office (“ICO”) [announced ](http://www.ico.gov.uk/news/latest_news/2013/ico-news-release-2013.aspx)that it has fined Sony Computer Entertainment Europe Limited £250,000 (approximately $390,000 US) as a result of the 2011 data breach of the Sony PlayStation Network (“PSN”).

In April 2011, Sony announced that it suffered a series of data breaches on the PSN and Sony Online Entertainment affecting up to 101.6 million records. This included customer name, address, email, date of birth, login/password information, online identification, purchase history, billing address, and password security questions. It also included up to 12 million unencrypted credit card numbers.

Under the UK Data Protection Act 1998, a data controller, such as Sony, must comply with the data protection principles so that personal information is:

- Fairly and lawfully processed;
- Processed for limited purposes;
- Adequate, relevant and not excessive;
- Accurate and up to date;
- Not kept for longer than is necessary;
- Processed in line with your rights
- Secure; and
- Not transferred to other countries without adequate protection.
 
As described in its [Monetary Penalty Notice](http://www.ico.gov.uk/news/latest_news/2013/~/media/documents/library/Data_Protection/Notices/sony_monetary_penalty_notice.ashx), the ICO can issue a fine up to £500,000 for a ​“serious contravention” of these data protection principles.

Sony faced [U.S. Congressional scrutiny](http://www.adlawaccess.com/2011/06/articles/privacy-and-information-securi/sony-and-epsilon-on-the-hot-seat-house-commerce-subcommittee-investigates-historic-data-breaches/) shortly after the 2011 breach. However, Sony representatives declined to testify before the U.S. House Commerce Subcommittee in a hearing on comprehensive federal data security and data breach notification legislation. Also, [private class action litigation ](https://s3.amazonaws.com/cdn.kelleydrye.com/content/uploads/blogs/ad-law-access/2013/01/In_Re_Sony_Gaming_Networks_and_Customer_Data_Secur.pdf)against Sony arising from the data breach is still pending.

Businesses with a global customer base (online or otherwise) should be mindful of the privacy and data security obligations triggered by collecting personal information from consumers around the world.

 

 **Tags:** [Action](https://www.kelleydrye.com/viewpoints/blogs/ad-law-access/tags/action), [Class](https://www.kelleydrye.com/viewpoints/blogs/ad-law-access/tags/class), [Class Action](https://www.kelleydrye.com/viewpoints/blogs/ad-law-access/tags/class-action), [International](https://www.kelleydrye.com/viewpoints/blogs/ad-law-access/tags/international), [Privacy and Information Security](https://www.kelleydrye.com/viewpoints/blogs/ad-law-access/tags/privacy-and-information-security)

 

 - Share this entry 
    - 
    - 
    - 
    -
- [  View entry pdf ](https://s3.amazonaws.com/cdn.kelleydrye.com/content/uploads/pdf-snapshots/uk-ico-fines-sony-250000-after-2011-data-breach-20230914233131.pdf)
 
 

### Search Blog

  

### Subscribe

  

### Explore Topics

- [Privacy and Information Security](https://www.kelleydrye.com/viewpoints/blogs/ad-law-access/privacy-and-information-security)
 
 

### Related Services

- [Advertising and Marketing](https://www.kelleydrye.com/practices/advertising-and-marketing)
