Privacy Commissioner and Others Up In Arms about Sony PlayStation Network Hack

Matt Lonsdale is a JD candidate at Dalhousie University.

On April 20th, 2011, disappointed gamers discovered they could no longer connect to the PlayStation Network. While Sony initially blamed the outage on technical problems, it was later revealed that the service had been deliberately hacked. The incident has sparked a flurry of activity among government officials, law enforcement, politicians and private citizens.

The PlayStation Network is an online service, which allows owners of Sony’s Playstation 3 game console to play multiplayer games, stream movies and purchase new content. The perpetrators had gained access to a database containing a wealth of personal information on PlayStation Network’s customers. Qriocity, a music and video streaming service owned by Sony, was also affected by the attack.

While the extent of the breach is not known, the database accessed contained the personal information of over 75 million PlayStation Network users. In an email to users dated April 27, 2011, Sony wrote, “we believe that an unauthorized person has obtained the following information that you provided: name, address (city, state/province, zip or postal code), country, email address, birthdate, PlayStation Network/Qriocity password, login, password security answers, and handle/PSN online ID”. Credit card data was encrypted and stored in a separate database. While there is no evidence that this information was accessed, Sony has not ruled out the possibility.

Sony’s customers were understandably angry about the breach. In response to this, the US-based Rothken Law Firm has filed a class action law suit in California, alleging that Sony “failed to take reasonable care to protect, encrypt, and secure the private and sensitive data of its users”. The lawsuit seeks information about the breach and Sony’s data security practices, as well as monetary compensation for affected users.

As might be expected in today’s privacy-conscious world, the breach has also received significant attention from government. The attack itself is being investigated by the FBI’s cybercrimes unit in San Diego. A US House of Representatives subcommittee, as part of a hearing entitled, “The Threat of Data Theft to American Consumers”, submitted written questions to the Chairman of the Board of Directors of Sony Computer Entertainment America. Britain’s Information Commissioner’s Office has also been in contact with Sony and is investigating whether the privacy laws of that county have been violated.

In Canada, the office of the Privacy Commissioner was not notified of the breach by Sony. Office spokeswoman Valerie Lawtwon wrote that “We are currently looking into this matter and are seeking information from Sony… [W]e will determine next steps once we have a full understanding of the incident.” The Personal Information Protection and Electronics Document Act does not place an obligation on organizations to report incidents of this kind to the Office of the Privacy Commissioner. However, Schedule 1 of that Act does contain a number of principles which organizations are expected to adhere to, including the implementation of “procedures to protect personal information”. Sony has stated that all personal information was protected by a sophisticated security system, although unlike credit card data, personal information was not encrypted. On May 4, 2011, just two weeks after the breach, Privacy Commissioner, Jennifer Stoddart, gave a speech at the Canada 3.0 conference calling for Parliament to grant the Office the ability to levy substantial fines against organizations. She expressed dismay that Sony had not notified her office of the breach, saying that “I have come to the conclusion that the only way to get some corporations to pay adequate attention to their privacy obligations is by introducing the potential for large fines that would serve as an incentive for compliance”.