The Information Commissioner's Office (ICO) said the company was guilty of a serious breach of the UK's Data Protection Act (DPA) because it had not taken "appropriate technical measures" to protect the security of personal data stored on its PlayStation Network (PSN) which was stolen when hackers broke into its systems in 2011.
Sony also stored "excessive" amounts of customers' personal data on the PSN Platform, the ICO said, and found that this too amounted to a breach of the DPA. The Act requires organisations to ensure that the personal data they hold is "adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed".
Sony said it "strongly disagrees" with the ICO's findings and is planning to appeal its decision.
Data protection law specialist Marc Dautlich of Pinsent Masons, the law firm behind Out-Law.com, said that organisations need to be given guidance on what technical measures can be said to constitute an appropriate standard of security for the purposes of compliance with the DPA.
"The Sony appeal could be extremely interesting as it may provide an insight into what the ICO considers to be an appropriate standard of security that organisations have to have in place, particularly as it is a case involving a company in the private sector," Dautlich said.
"Organisations are increasingly subject to malicious attacks," he added. "Clarity from the ICO is needed about just how good security needs to be to meet the requirements of the DPA. This is an important issue at the moment, but it will come even more into focus if all organisations are mandatorily obliged to report data breach incidents as would be the case if proposed reforms to EU data protection laws are introduced as currently drafted."
"In our experience it is also very often the case that security incidents go hand-in-hand with a finding that organisations are holding too much personal data. This case should highlight the need for firms to concentrate on their retention policies and give the issue sufficient attention," he said.
In April 2011 Sony admitted that the details of as many as 77 million people worldwide might have been stolen following a breach of its PSN by hackers. The Network allows PlayStation 3 users to log in and download games, films and other media and play games against other users live.
The ICO investigated the incident and said that the names, addresses, email addresses, dates of birth and passwords of users of the PSN had been accessed by hackers. Users' payment card details had also been put "at risk", it added. It said that the hackers probably exploited a "vulnerability" in the company's systems which was itself subject to "several" distributed denial of service (DDoS) attacks prior to the breach. DDoS attacks typically involve hackers using malware-infected computers to bombard systems with such large amounts of traffic that they cease to function.
The ICO did not specify precisely how many UK PSN users had been affected by the breach, but put the numbers in the "millions". Deputy Information Commissioner David Smith described the case as "one of the most serious" that has ever been reported to the watchdog.
The ICO said that although Sony had taken some steps to "protect account passwords" it determined the company had "failed to ensure that the Network Platform service provider kept up with technical developments". As a result, Sony had not had "appropriate" security measures, such as "cryptographic controls to protect passwords", in place at the time of the data breach, the watchdog ruled. (12-page / 1.49MB PDF)
The watchdog said the breach was "of a kind likely to cause substantial damage or substantial distress" and said that the damage and distress could have been exacerbated had the individuals concerned been exposed to fraud or other risks because of further disclosure of the personal data to "other untrustworthy third parties".
Under the Data Protection Act (DPA) organisations must take "appropriate technical and organisational measures ... against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data".
The ICO has previously said that all personal data stored electronically should be encrypted if it "would cause damage or distress if it were lost or stolen".
In a statement, Sony said that it would appeal against the ICO's decision.
"Sony Computer Entertainment Europe strongly disagrees with the ICO’s ruling and is planning an appeal," the company said. "SCEE notes, however, that the ICO recognises Sony was the victim of 'a focused and determined criminal attack,' that 'there is no evidence that encrypted payment card details were accessed,' and that 'personal data is unlikely to have been used for fraudulent purposes' following the attack on the PlayStation Network."
"Criminal attacks on electronic networks are a real and growing aspect of 21st century life and Sony continually works to strengthen our systems, building in multiple layers of defence and working to make our networks safe, secure and resilient. The reliability of our network services and the security of our consumers’ information are of the utmost importance to us, and we are appreciative that our network services are used by even more people around the world today than at the time of the criminal attack," it added.
Sony need only pay a £200,000 fine to the ICO if it pays the penalty prior to 13 February as part of an "early payment discount" offered by the watchdog. The company told Out-Law.com that it would not comment on whether it would take advantage of the early payment discount and simultaneously pursue an appeal - something the ICO prohibits but which an organisation served with a monetary penalty notice from the watchdog has yet to challenge at an Information Rights Tribunal.
Editor's note 25/1/13: The last paragraph of this story says that nobody had challenged an ICO monetary penalty notice. In fact by the time this story had been published they had, but we did not yet know about it. For more you can read our coverage of the challenge and the Information Tribunal's ruling.