The UK Information Commissioner’s Office (ICO) has fined Sony £250,000 for the widely publicized 2011 security breach during (see here, here, and here) which hackers gained access to personal data (including credit card information) of over 77 million users.
For a company of Sony’s size, £250,000 is a hand-slap — and Sony’s announcement that it will appeal the fine is surely based on a matter of principle (or a desire to avoid a bad precedent) rather than a purely economic decision.
But what would Sony’s fine have been under the proposed new EU Data Protection Regulation?
Two percent of Sony’s worldwide turnover.
I’m not sure how much that is, but it’s a lot more than £250,000.
How exactly would the ICO be able to arrive at a fine equal to two percent of Sony’s worldwide turnover under the draft Regulation?
Article 79 of the draft Regulation provides for fines of up to 2% of an enterprise’s worldwide turnover in the event of a serious violation of the Regulation. Article 79 expressly calls out violations of Article 30, which requires data controllers and processors to implement “appropriate organizational and technical measures to ensure a level of security appropriate to the risks represented by the processing and the nature of the personal data to be protected, having regard to the state of the art and the costs of their implementation.”
The substance of Article 79 is already law. The ICO determined that Sony failed to take appropriate technical measures to protect the personal data of its users because Sony could have updated its software and prevented the breach.
Today, that costs £250,000. But in two years, it may cost much, much more.