Sony fine gives indication of what the ICO means by appropriate security

The £250,000 fine the Information Commissioner’s Office (ICO) imposed on Sony Computer Entertainment Europe Limited on 14 January, and announced on 24th January, follows a serious breach of the Data Protection Act in April 2011, when the Sony PlayStation Network Platform was hacked. This security breach compromised the personal information of millions of its customers.

An ICO investigation found that the attack could have been prevented if the software had been up-to-date, while technical developments also meant passwords were not secure. The ICO says that while Sony had made some effort to protect account passwords, these measures were not sufficient.

This monetary penalty sheds some light into how the ICO views the DP Act’s requirement for "appropriate technical and organisational measures”. The ICO has previously said that personal data should be encrypted if it would cause damage or distress if it were lost or stolen.

The ICO also points out that Sony is a large multinational company with sufficient resources to address security issues. On the positive side, it notes that the company voluntarily notified the breach. Data subjects have been notified, and the company has cooperated fully with the ICO. These behavioural issues have been considered when determining the amount of the fine.

Sony says it plans to appeal the decision. If Sony however decided to pay the fine early, by 14 February, it would receive a 20% discount.

See the monetary penalty notice, with commercially confidential data redacted.