UK ICO Fines Sony £250,000 After 2011 Data Breach

On January 24, 2013, the UK Information Commissioner’s Office (“ICO”) announced that it has fined Sony Computer Entertainment Europe Limited £250,000 (approximately $390,000 US) as a result of the 2011 data breach of the Sony PlayStation Network (“PSN”).

In April 2011, Sony announced that it suffered a series of data breaches on the PSN and Sony Online Entertainment affecting up to 101.6 million records. This included customer name, address, email, date of birth, login/password information, online identification, purchase history, billing address, and password security questions. It also included up to 12 million unencrypted credit card numbers.

Under the UK Data Protection Act 1998, a data controller, such as Sony, must comply with the data protection principles so that personal information is:

  • Fairly and lawfully processed;
  • Processed for limited purposes;
  • Adequate, relevant and not excessive;
  • Accurate and up to date;
  • Not kept for longer than is necessary;
  • Processed in line with your rights
  • Secure; and
  • Not transferred to other countries without adequate protection.

As described in its Monetary Penalty Notice, the ICO can issue a fine up to £500,000 for a serious contravention” of these data protection principles.

Sony faced U.S. Congressional scrutiny shortly after the 2011 breach. However, Sony representatives declined to testify before the U.S. House Commerce Subcommittee in a hearing on comprehensive federal data security and data breach notification legislation. Also, private class action litigation against Sony arising from the data breach is still pending.

Businesses with a global customer base (online or otherwise) should be mindful of the privacy and data security obligations triggered by collecting personal information from consumers around the world.