January 22, 2018

January 22, 2018

Subscribe to Latest Legal News and Analysis

The Sony Data Breach Fine: A Hand-Slap from London Now, But What Would it Have Been Under the Proposed New EU Data Protection Regulation?

The UK Information Commissioner’s Office (ICO) has fined Sony £250,000 for the widely publicized 2011 security breach during (see herehere, and here) which hackers gained access to personal data (including credit card information) of over 77 million users.

For a company of Sony’s size, £250,000 is a hand-slap — and Sony’s announcement that it will appeal the fine is surely based on a matter of principle (or a desire to avoid a bad precedent) rather than a purely economic decision.

But what would Sony’s fine have been under the proposed new EU Data Protection Regulation?

Two percent of Sony’s worldwide turnover.

I’m not sure how much that is, but it’s a lot more than £250,000.

How exactly would the ICO be able to arrive at a fine equal to two percent of Sony’s worldwide turnover under the draft Regulation?

Article 79 of the draft Regulation provides for fines of up to 2% of an enterprise’s worldwide turnover in the event of a serious violation of the Regulation.  Article 79 expressly calls out violations of Article 30, which requires data controllers and processors to implement “appropriate organizational and technical measures to ensure a level of security appropriate to the risks represented by the processing and the nature of the personal data to be protected, having regard to the state of the art and the costs of their implementation.”

The substance of Article 79 is already law.  The ICO determined that Sony failed to take appropriate technical measures to protect the personal data of its users because Sony could have updated its software and prevented the breach.

Today, that costs £250,000.  But in two years, it may cost much, much more.

©1994-2018 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C. All Rights Reserved.


About this Author

Susan L. Foster, Mintz Levin Law, Information Privacy Lawyer, Start Up Attorney

Susan is qualified in England and Wales as well as California, and has experience practicing law in both the United States and the United Kingdom. She has been based in Mintz Levin’s London office since September 2007, and worked in the United Kingdom for another international law firm from 2001 to 2004.

Susan works with clients primarily on licensing, collaborations, and commercial matters in the fields of clean tech, high tech, mobile media, and life sciences. She has represented a broad range of clients, from start-up companies to international industry leaders, and has...