According to a news report in the Washington Post, the first round of economic fallout from the security breaches in Sony’s online gaming service is $170 million dollars. Included in this sum are the costs of paying for identity theft insurance for their U.S. customers, improvements to their network security procedures and systems, the cost of providing users free access to content, customer support and the costs of investigating the hacking.
While $170 million may sound like a lot of money, to a global company like Sony it’s just an uncomfortable drop in the bucket. When divided by the number of consumers whose personal records were compromised (estimated to be around 100 million subscribers) that’s just $1.70 per user. With such a low impact, I’m concerned it will not sting enough to feel like much of a motivator to really increase their security practices.
Of course we’re just in round one. There is at least one class action lawsuit underway, and only time will show how many customers they lose over the ordeal or the impact to their brand.
It remains to be seen exactly what changes Sony makes to their policies and practices around breach notification process, but the company has settled with the FTC over charges that they failed to protect their consumers’ personal information. To satisfy the FTC’s requirements, Sony has pledged to create a comprehensive information security program and be subjected to biennial independent audits. The company was also required to not make any “future misrepresentations” about their security practices.
Speaking to Sony’s blatant lack of regard shown to consumers whose data has been compromised, Senator Blumenthal (D-Connecticut) said, “I am troubled by the failure of Sony to immediately notify affected customers of the breach [of the PSN] and to extend adequate financial data security protections. A breach of such a widely used service raises concerns of data privacy, identity theft, and other misuse of sensitive personal and financial data… When a data breach occurs, it is essential that customers be immediately notified about whether and to what extent their personal and financial information has been compromised.”
These breaches aren’t the first time Sony’s been in trouble for actions (or failure to take appropriate actions) against U.S. consumers. In 2008, the FTC fined the company $1 million dollars for illegally collecting data on kids in violation of the Child Online Privacy Protection Act (COPPA). Speaking to this issue FTC Chairman William Kovacic said in a statement, “Sites with social networking features, like any Web sites, need to get parental consent before collecting kids’ personal information. Sony Music is paying the penalty for falling down on its COPPA obligations.”
In 2007 the FTC fined Sony for violating federal law when it sold CD’s to consumers that contained hidden software to restrict the number of devices on which purchased music could be played. “Installations of secret software that create security risks are intrusive and unlawful,” said FTC Chairman Deborah Platt Majoras. “Consumers’ computers belong to them, and companies must adequately disclose unexpected limitations on the customary use of their products so consumers can make informed decisions regarding whether to purchase and install that content.”
To learn more about the Breaches, and Sony’s appalling treatment of consumers in the aftermath – see my blogs Sony’s Security Breach, their Delay in Reporting, and their “User’s it’s Your Problem” Stance Deserves close scrutiny and Oops! Sony did it Again….Another 24.6 Million Accounts Exposed.
As for Sony’s online gaming services, they are getting back up to full speed. As of May 15th the company began restoring their PlayStation Network services to allow consumers to game, chat and stream music.