Sony’s privacy breach

Details are continuing to emerge about Sony’s massive security breach, which has resulted in personal information of up to 77 million users, including New Zealanders, being stolen. It is unclear how much of the data was encrypted, although Sony has said that credit card information was encrypted.

The first lawsuits are already flying, and it has lost as much as 5% of its share price:

Late on Wednesday, Rothken Law Firm filed a lawsuit on behalf of an individual plaintiff named Kristopher Johns against Sony in the Northern District of California court.

“This suit seeks to redress Sony’s failure to adequately provide service to PlayStation consoles and PlayStation Network,” the lawyers for the plaintiff said in a court filing.

The plaintiff has requested the court to certify this case as a class action and has also sought unspecified monetary damages, according to the filing.

What protection is offered to New Zealanders affected by the breach? New Zealand’s privacy protection stacks up relatively well, as Auckland University Senior Lecturer Gehan Gunasekara has noted. The recent EU Working Party report on New Zealand’s privacy regime is available here. As the report notes:

4) Security principle: The controller must adopt appropriate technical and organisational measures against the risks presented by the processing. Any person acting under the authority of the controller, including the person in charge of processing, must not process data except on instructions from the controller.

The Working Party considers that principle 5 (Storage and security of personal information) covers the aspects required for the security principle. This principle is based on the OECD security safeguards principle and the wording is similar to the wording of article 17(1) and (2) of the Directive in that security measures must protect against loss, access, use, modification, disclosure and misuse. Agencies must do everything reasonably within their power to prevent unauthorised access and disclosure where information is given to a processor.

The Privacy Commission has previously investigated data loss caused by insecure computer systems (though obviously not on the probably unprecedented scale of Sony’s recent data loss). The Commission cannot impose fines or damages, although a complainant (or the Commissioner) can refer matter to the Human Rights Tribunal, which does have the ability to award damages for:

(a) pecuniary loss suffered as a result of, and expenses reasonably incurred by the aggrieved individual for the purpose of, the transaction or activity out of which the interference arose:

(b) loss of any benefit, whether or not of a monetary kind, which the aggrieved individual might reasonably have been expected to obtain but for the interference:

(c) humiliation, loss of dignity, and injury to the feelings of the aggrieved individual.

Remedies are also potentially available under negligence. However, this is very unlikely to occur in New Zealand, in large part because of the difficulties in bringing class actions as in the US. It is also likely that the relevant principles under the Privacy Act do not apply to information held overseas by Sony in this case. This is unfortunate, as it means that while US citizens are able to seek compensation from Sony, New Zealanders who have suffered the same inconvenience and harm have no practical remedy (whether under the Privacy Act 1993, or tort law, or negligence). Likewise, if Sony offers compensation to users whose data has been stolen, it may be able to avoid compensating New Zealand users without (direct) detriment.

It surely must be the case that, in future years, better and more accessible remedies will be available to New Zealand citizens who suffer loss of personal information as a result of egregious security lapses by agencies holding that information.