Within the space of 10 days, the ICO has successfully defended the first published appeal against a monetary penalty, and has issued a £250,000 monetary penalty on Sony Computer Entertainment Europe Limited (Sony) in only its fourth fine on a private company.
The Sony Playstation Network Platform was hacked in April 2011 following several Distributed Denial of Service (DDoS) attacks, resulting in the leak of the personal details of millions of customers, including passwords and payment card details. An investigation undertaken by the ICO revealed that the attack could have been prevented if more sophisticated security software had been in place. David Smith, Deputy Commissioner said:
"If you are responsible for so many payment card details and log-in details then keeping that personal data secure has to be your priority. In this case that just didn't happen, and when the database was targeted - albeit in a determined criminal attack - the security measures in place were simply not good enough."
The ICO described the breach as “one of the most serious” it has handled under the DPA. The penalty notice highlighted several factors which were taken into account in determining the penalty. These included:
• That the breach was particularly serious given the nature and amount of data leaked;
• That customers’ other non-Sony accounts could have been placed at risk;
• That Sony should have been aware of the software vulnerability following other DDoS attacks and should have acted sooner to put appropriate technical security measures in place;
• That Sony is part of a multi-national group with the resources to address security issues; and
• That Sony has sufficient financial resources to pay a penalty up to the maximum without it causing undue financial hardship.
The monetary penalty is the largest awarded by the ICO against a private sector organisation under the Data Protection Act.
Sony has since said that it “strongly disagrees with the ICO’s ruling and is planning an appeal.” In explaining its objection to the ruling, Sony has pointed to the nature of the breach - the notice says that the hack was a determined criminal attack - and to the fact there is no evidence that encrypted payment card details were accessed.
Ruth Boardman, joint head of Bird & Bird’s international Data Protection practice, said:
"This latest monetary penalty from the ICO will serve as a wake up call to companies who had assumed that the ICO was concentrating its efforts on local government, health bodies and the public sector. Whilst the sheer number of customers affected by the Sony breach was an aggravating factor, data controllers should take care to put in place remedial measures if particular weaknesses have been highlighted by earlier incidents."
More details on the procedural intricacies of monetary penalties were revealed in the judgment on the first monetary penalty appeal before the First-Tier Tribunal. In this case, Central London Community Healthcare NHS Trust had, on numerous occasions, faxed a list of palliative care in-patients to the wrong fax number, the recipient of which notified the Trust and said he had destroyed the faxes. A monetary penalty of £90,000 was imposed and the Trust appealed.
The appeal was dismissed. The judgment, which is not technically binding on any future First-Tier Tribunal decision, agreed with the ICO’s position that the early payment discount is available only if the organisation does not appeal. The decision also sheds helpful light on an internal ICO document which sets out the method of deciding the appropriate monetary penalty:
• Once a decision is made to impose a monetary penalty, the case is placed into one of three bands:
> Serious (£40,000 - £100,000)
> Very Serious (£100,000 - £250,000)
> Most Serious (£250,000 - £500,000)
• The midpoint of the band is selected, and then aggravating/mitigating factors are applied to determine the final level of the penalty to be imposed.
It is anticipated that there will be more appeal decisions published within the next few months, given the increase in the number and size of monetary penalties imposed in 2012.
For more information please contact: