The United Kingdom’s data protection regulator, the Information Commissioners Office (ICO), has issued a fine of £250,000, to Sony Computer Entertainment Europe, for a “serious breach” of the UK’s data protection laws, following one of the most widely reported information security breaches of 2011.

Sony’s PlayStation network was hacked into and information on 70 million customers and users of their gaming platform and services where compromised in 2011. It was one of the largest and most widely reported information security breaches of 2011. Its repercussions have been significant and on going.

It is estimated that approximately 3 million UK citizens were using the PlayStation network and had their personal details compromised. The fine levied by the UK regulator works out at approximately £0.08 or 8 pence per customer.

Here are some of my thoughts:

Risk Management

Investment in information security should be based on a balanced assessment of risk to an organisations key metrics. These include cash flow and profitability.

Any risk assessment, regarding information security, should include an examination of statutory obligations such as data protection laws. The impact of not complying with these obligations, and being caught, should be reported in clear quantifiable terms and with supporting evidence where possible.

It is arguable that a fine of £250,000 for a serious breach of security involving 3 million records could be considered:

• A risk worth self-insuring against or taking.
• Lower than the cost of implementing appropriate and reasonable security controls and therefore a good reason not to invest until an incident occurs and the ICO investigates.

Calculating the Fine

It is worth pointing out that the ICO, roughly, calculates fines based on 3 factors 1) the seriousness of the breach 2) the size of the breach and 3) the turnover/profit of the organisation that is accountable for the breach of confidentiality.

Considering the ICO has made it clear that the Sony breach was “serious”, this suggests that either the number of records compromised or Sony’s turnover and profitability, or both, where the reason why a full fine of £500,000 wasn’t levied. I doubt it was the later.

Does this set a precedent? Security breaches regarding 3 million records limited to £250,000. If so what message does this give to businesses and organisations with smaller customer data bases with regards to compliance?

Regulator and Industry Best Practice Alignment

The need to take a risk based approach, to developing the business case for investing in reasonable and appropriate data security measures and practices, is a common mantra of both industry and government. Government policy, enforced through regulators like the ICO, should enforce this.

A risk based decision, using the outcome of the ICO’s investigation into Sony and the subsequent fine issued, may present a case for accepting or self-insuring against a breach of information confidentiality, and not investing in security practices and measures, which is subject to UK data protection laws.

Is the regulator out of synch with government and industry policy and thinking? Or is the current legislation and methodologies used for calculating fines ineffective and out of touch with the reality on the ground?

Proportionality

The data protection laws are in place to protect individual citizens’ right to confidentiality, amongst other things. Is a fine of £0.08 for a serious breach of security, around a customer’s records, a sufficient penalty proportional to the potential impact on the individual now and in the future?

I am left wondering whether the methodology for calculating fines effectively delivers against the objective of having data protection laws in place. I am also left considering the impact on information security professionals when building the case for investment in organisational security measures and practices.

If you have any thoughts on the above please leave a comment or contact me here.