UK Fine Likely Just The Start of Sony’s Breach Woes

January 24, 2013 – In The News

In a recent ruling the U.K. fined Sony Computer Entertainment Europe Ltd. just under $400,000 for failing to stop a massive 2011 data breach. Although the number is smaller than many expected, attorneys say the penalty won’t be the end of the company’s regulatory troubles, with watchdogs in other jurisdictions scouring its security practices and weighing whether to bring fines of their own.

The April 2011 breach was a result of Sony’s failure to update faulty software and add necessary password protectors to its PlayStation and Qriocity networks. The message portrayed from the Sony case is likely to resonate with regulators in other jurisdictions who are just as interested in ensuring that similar companies have appropriate security measures.

“The bigger the world is the smaller it is,” Fox Rothschild partner Scott Vernick said. “There's no doubt in my mind that all the regulators talk to each other. They may have different ways of approaching the same problem and different frameworks for addressing it, but all regulators, whether in the U.S. or other countries, will be taking this action into account.”

In recent years, these regulators have begun to take a more aggressive approach toward lax data security and retention practices, making it a strong possibility that other watchdogs will add to Sony's woes with their own fines, Vernick added.

“Traditionally, outside the U.S., the regulatory system was not really so much oriented toward financial penalties,” he said. “But regulators are starting to come at it differently.”

Sony revealed Thursday it disagreed with the ruling and was planning an appeal, which it has until Feb. 13 to file. The company's case could be helped by the findings of the Australian privacy commissioner, who closed a probe into the breach in September 2011 after concluding Sony “took reasonable steps to protect its customers' personal information, including encrypting credit card information and ensuring that appropriate physical, network and communication security measures were in place.”

Regardless of how future regulatory or legal actions play out, Sony's fine — and the potential for further action — should serve as the latest reminder that companies should be making data security a top priority.

“Data security is here to stay, and regulators are very serious about it, so companies should expect to continue to see very aggressive enforcement,” Vernick said.