Earlier this year Sony, the owners of Playstation, and 77 million users of it’s Playstation 3 network suffered a breach of system and information security. Whilst 77 million users had their personal information and in some cases financial data stolen they also suffered 40 days disruption to their right to use the product they had purchased. In turn it is estimated that Sony will suffer costs in the billions of dollars clearing up what will most likely be one of the largest security breaches of 2011.

Sony are learning the hard way about how the costs, of a security incident, just keep adding up. Legal action, by customers, is just one of those. The potential for group legal action, in particular, is driving fear into Sony’s heart. So much fear that Sony have decided to change their terms and conditions of how customers use their Playstation3 and the PSN network.

Customers are being given, some would say, harsh choices to make about their relationship with Sony.

1. Waive your rights to pursue group legal action, through independent legal counsel, against Sony for any future breaches of data confidentiality.
2. Restrict your options, for pursuing your rights, to legal representatives chosen by Sony.
Are Sony saying now that we realise the potential financial impact we’d like to redefine our relationship with our customers. Does this potentially highlight a lack of effective risk management in the first place? Shouldn’t businesses assess these before they launch a new product or service which gathers customers data?

Here are some of my observations:

• Terms of use are part of the internal control framework for managing information security risk. Sony is, understandably, looking to reduce it’s financial exposure to risks to it’s cashflow and profitability from future breaches of security.
• Terms of use don’t contribute to reducing the likelihood of a security incident.
• Are Sony’s measures to reduce customers rights to pursue legal recourse another example of the erosion of customers rights?
• Is restricting Sony’s customers means to pursue legal action for a breach of data security to Sony’s own appointed “arbitrators” an erosion of independence?
• By restricting customers rights are Sony admitting that they recognise that they may be subject to further attacks and security breaches?
• Will Sony re-imburse Playstation 3 & PSN users who feel that what they bought, including assurances about the confidentiality of their personal data, are significantly different to what they now have?
• Is a 30 day window for Playstation customers to write and send a letter to Sony’s offices in the USA a reasonable time period? Compare that to the 40 days customers went without access to the service / product they had purchased!
• Why does the letter have to be sent to Sony through the postal system and not electronically?
• Should customers be given the means to send an electronic communication to Sony?
• Will Sony Playstation customers even review the changes to the terms of use?
• Will Sony Playstation customers actually understand what these changes mean to them?
• Are Sony Playstation leveraging the well documented tendency of consumers to simply click “Agree” before reviewing the changes?

If you have any views on the observations above or would like to add some please leave a comment.