It seems that there will be no reprisal according to Australian law for the victims of the Sony PlayStation/Qriocity saga which left the personal information of approximately 77 million Sony customers worldwide exposed to hackers and threatened the victims with possible identity theft and credit file misuse.
Australian Privacy Commissioner Timothy Pilgrim released his official report last Thursday on his investigation into Sony Australia’s possible breach of the Privacy Act.
His investigation found that Sony did not breach Australia’s Privacy Act when it fell victim to a cyber-attack.
The investigation looked at whether Sony complied with the National Privacy Principles in the Privacy Act. The Principles require organisations to take reasonable steps to protect personal information, and limit the circumstances in which organisations can use and disclose personal information.
“I found no evidence that Sony intentionally disclosed any personal information to a third party. Rather, its Network Platform was hacked into. I also found that Sony took reasonable steps to protect its customers’ personal information, including encrypting credit card information and ensuring that appropriate physical, network and communication security measures were in place,” Mr Pilgrim said.
Mr Pilgrim was concerned about the time that elapsed between Sony becoming aware of the incident and notifying its Australian customers and the OAIC. There was a gap of a week between the data breach and the notification. However, the Privacy Act does not contain a deadline for data breach notification – so this failure to notify does not classify as a breach of privacy.
“I would have liked to have seen Sony act more swiftly to let its customers know about this incident. Immediate or early notification of a data breach can allow individuals to take steps to mitigate the risks that arise from their information being compromised,” Mr Pilgrim said.
“However, I am pleased that in response to this incident, Sony has now implemented extra security measures to strengthen protections around the Network Platform.”
During the investigation, the Privacy Commissioner examined information pertaining to relationships between the various Sony entities involved in this matter.
“The international nature of these relationships raises challenges for regulators monitoring personal information flows in these kinds of situations where large global companies are collecting personal information while operating in a number of different jurisdictions.”
In recognition of this, the Privacy Commissioner will provide a copy of his investigation report to privacy regulators in APEC member economies for their consideration.
The Privacy Commissioner can only investigate what is in the bounds of the Australia’s Privacy Act to investigate – and here we get to the real problem.
Unfortunately our Privacy Laws don’t extend to mandatory data breach notification. So the Privacy Commissioner was unable to investigate what many agree was the real issue – why Sony took a week to notify its millions of customers their personal information – including credit card details had been compromised.
The entire saga and this subsequent investigation has served to highlight a massive hole in Australia’s privacy laws which are leaving people open to this kind of breach of security with no retribution via our Government policy.
As we advised at the time of the data breach, it is important for anyone who has had their personal details compromised in this way to be on the lookout for possible misuse of their credit file.
Often people don’t know they have been victims of identity theft until they attempt to obtain credit and are refused, due to defaults on their credit report they are unaware of.
It is recommended that everyone check their credit file for free every year from Australia’s credit reporting agencies. For people who have been the victim of a data breach and other people vulnerable to identity theft, it might pay to include a separate credit file monitoring service. For instance Veda Advantage will (for a fee) monitor people’s credit files and alert the credit file holder to any changes or entries on their credit file – including credit enquiries.
If people need help with credit rating repair following identity theft, they can contact MyCRA Credit Repairs toll free within Australia on 1300 667 218.