Most Datonomy readers will already be aware of this morning’s news of a £250,000 ICO fine for Sony over the 2011 PlayStation hack, which Sony reportedly intends to appeal.
The ICO published the monetary penalty notice this morning, with Deputy Commissioner David Smith appearing on YouTube “making no apologies” for the size of the fine (the largest imposed on a private sector organisation to date, and the third largest fine ever imposed by the ICO).
Understandably, much of the factual detail and specifics on the vulnerabilities of the system have been redacted to avoid compounding the risks to Sony’s system by giving future hackers a helping hand. This makes for a slightly frustrating reading experience, and inevitably limits the insight which the decision gives practitioners into the specifics of what might or might not constitute appropriate security in the given context. So, what can we usefully take from the Sony investigation and subsequent enforcement action?
Timing and appeals
It is not clear why it has taken almost two years from the breach, in April 2011, for the penalty notice to be issued. The ICO must of course follow the notice and consultation process set out in Section 55B of the DPA, and its own guidance on the use of monetary penalties.
Sony is reported to be planning to use its right to lodge an appeal to the Information Tribunal, which must be done within 28 days. It is possible to challenge the issue of a penalty notice and its amount, on the grounds that the fine was not in accordance with the law, and that to the extent the IC exercised its discretion, that it ought to have exercised it differently.
Given that monetary penalties are relatively new, the appeals process is relatively uncharted territory. Earlier this month, the first appeal against a monetary penalty notice, by Central London Community Healthcare Trust, was rejected by the Information Tribunal. That ruling gives practitioners (and would be appellants) useful insight into the Tribunal’s powers and likely approach. The progress and outcome of Sony’s appeal, the first by a private sector data controller, will be watched with interest.
Fines – present and future
In his video clip, David Smith commented that, from the ICO’s perspective, the “bright side” of the Sony data hack was the raised public awareness and concern over data security. Datonomy likes to believe in silver linings too – if it is any comfort to Sony, the fine, whist high, is only half the maximum available to the ICO, and pales in comparison with the $171 million dollar cost which Sony itself was reported to have put on the breach in 2011. Today’s fine is also considerably lower than the 2% of global turnover fines which could apply in future under the EU proposals.
Obligations to notify breaches – present and future
Aside from the prospect of greatly increased fines, how else might the data hack scenario differ under the proposed new regime?
Under the draft Regulation, all data controllers would be legally obliged to notify the regulator “without undue delay” and where feasible within a specified deadline. That notification window is subject to negotiation, with the Commission proposing 24 hours but the Parliament recommending a more pragmatic 72. Notifying a data breach to the regulator is currently only mandatory in the UK for communications service providers, although the ICO takes the view that all serious breaches should be notified.
The draft regulation would also introduce an obligation to bring breaches to the attention of affected individuals “without undue delay” where the breach puts their ID at risk.
As a matter of damage limitation and reputation management, even under the current voluntary regime, a household name suffering a major data breach is likely to opt to bring serious breaches to the attention of consumers and regulators – at least where that breach is or is likely to become public knowledge. Whether or not to challenge a monetary penalty notice is perhaps a more difficult tactical decision as it does inevitably prolong media attention.
Datonomy will monitor the progress and outcome of the appeal with keen interest.