Sony may have to pay the price for failing to protect users’ personal information.
Sony may be working tirelessly to restore the PlayStation Network, but the company could still face penalties for failing to protect people’s private information. According to an estimate from the Ponemon Institute, the sanctions could climb as high as $24.5 billion. The data research firm found that the average cost of a malicious or criminal data breach was $318 per compromised record in 2010, and that adds up when you consider that the PSN has 77 million user-created accounts.
Of course, even in a worst-case scenario, the $24 billion figure is probably a little high. Many of the compromised accounts may not have contained any valid credit card numbers, and it’s still not clear if anyone gained access to $318 worth of financial data. The Bank of America and Chase both said that they had not received any notification about a possible breach, although that could indicate that Sony simply didn’t know that the information had been taken.
“They indicated that they’re worried about it, which is probably a very strong indication that everything was stolen,” said Josh Shaul, the chief technology officer for Application Security.
Sony could also face sanctions from various governing bodies in the 59 countries in which the PSN is available. For instance, the Data Protection Act in the United Kingdom forces companies to keep user information safe, and the law could override the liability clause in Sony’s End User License Agreement.
“If the company is not compliant with the act within a certain time limit, further action would be taken and we might consider an enforcement notice or issue a monetary penalty,” said a representative from the Information Commissioners Office. “For serious breaches of the act, we can issue a monetary penalty up to £500,000.”
For the moment, however, this is all just speculation. It will still be a while before we’re able to calculate the actual cost of the fiasco, and we can only hope that the PSN will be much safer once it’s back up and running.