July 23, 2014

The Sony Data Breach Fine: A Hand-Slap from London Now, But What Would it Have Been Under the Proposed New EU Data Protection Regulation?

The UK Information Commissioner’s Office (ICO) has fined Sony £250,000 for the widely publicized 2011 security breach during (see herehere, and here) which hackers gained access to personal data (including credit card information) of over 77 million users.

For a company of Sony’s size, £250,000 is a hand-slap — and Sony’s announcement that it will appeal the fine is surely based on a matter of principle (or a desire to avoid a bad precedent) rather than a purely economic decision.

But what would Sony’s fine have been under the proposed new EU Data Protection Regulation?

Two percent of Sony’s worldwide turnover.

I’m not sure how much that is, but it’s a lot more than £250,000.

How exactly would the ICO be able to arrive at a fine equal to two percent of Sony’s worldwide turnover under the draft Regulation?

Article 79 of the draft Regulation provides for fines of up to 2% of an enterprise’s worldwide turnover in the event of a serious violation of the Regulation.  Article 79 expressly calls out violations of Article 30, which requires data controllers and processors to implement “appropriate organizational and technical measures to ensure a level of security appropriate to the risks represented by the processing and the nature of the personal data to be protected, having regard to the state of the art and the costs of their implementation.”

The substance of Article 79 is already law.  The ICO determined that Sony failed to take appropriate technical measures to protect the personal data of its users because Sony could have updated its software and prevented the breach.

Today, that costs £250,000.  But in two years, it may cost much, much more.

©1994-2014 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C. All Rights Reserved.

About the Author

Susan L. Foster, Mintz Levin Law Firm, Business Attorney

Susan is qualified in England and Wales as well as California, and has experience practicing law in both the United States and the United Kingdom. She has been based in Mintz Levin’s London office since September 2007, and worked in the United Kingdom for another international law firm from 2001 to 2004.

Susan works with clients primarily on licensing, collaborations, and commercial matters in the fields of clean tech, high tech, mobile media, and life sciences. She has represented a broad range of clients, from start-up companies to international industry leaders, and has...


Boost: AJAX core statistics

Legal Disclaimer

You are responsible for reading, understanding and agreeing to the National Law Review's (NLR’s) and the National Law Forum LLC's  Terms of Use and Privacy Policy before using the National Law Review website. The National Law Review is a free to use, no-log in database of legal and business articles. The content and links on are intended for general information purposes only. Any legal analysis, legislative updates or other content and links should not be construed as legal or professional advice or a substitute for such advice. No attorney-client or confidential relationship is formed by the transmission of information between you and the National Law Review website or any of the law firms, attorneys or other professionals or organizations who include content on the National Law Review website. If you require legal or professional advice, kindly contact an attorney or other suitable professional advisor.  

Some states have laws and ethical rules regarding solicitation and advertisement practices by attorneys and/or other professionals. The National Law Review is not a law firm nor is  intended to be  a referral service for attorneys and/or other professionals. The NLR does not wish, nor does it intend, to solicit the business of anyone or to refer anyone to an attorney or other professional.  NLR does not answer legal questions nor will we refer you to an attorney or other professional if you request such information from us. 

Under certain state laws the following statements may be required on this website and we have included them in order to be in full compliance with these rules. The choice of a lawyer or other professional is an important decision and should not be based solely upon advertisements. Attorney Advertising Notice: Prior results do not guarantee a similar outcome. Statement in compliance with Texas Rules of Professional Conduct. Unless otherwise noted, attorneys are not certified by the Texas Board of Legal Specialization, nor can NLR attest to the accuracy of any notation of Legal Specialization or other Professional Credentials.

The National Law Review - National Law Forum LLC 4700 Gilbert Ave. Suite 47 #230 Western Springs, IL 60558  Telephone  (708) 357-3317 If you would ike to contact us via email please click here.