Most Read Contributor in Australia, September 2016
On 19 April 2011, Sony became aware that hackers had gained
access to their Network Platform which held personal information,
including contact and credit card details, of approximately 77
million customers world-wide. Amidst concerns that
Australians' personal information may have been compromised
in the cyber-attack, the Australian Privacy Commissioner commenced
an own-motion investigation into whether Sony complied with
National Privacy Principles 2.1 and 4.1 under the Privacy Act.
The Commissioner found that Sony did not breach National Privacy
Principle 2.1 which only allows disclosure of personal information
for the purpose it was collected, as the release of information was
not intended by Sony, but rather the result of a 'sophisticated
security cyber-attack' against Sony's Network
The Commissioner also found that Sony had acted in accordance
with the National Privacy Principle 4.1 in taking reasonable steps
to protect its customers' personal information from misuse
and loss and from unauthorised access, modification or
The Commissioner noted that Sony:
had physical, network and communication security measures in
place, including the encryption of credit card information;
temporarily shut down the Network Platform servers and services
after the security breach;
subsequently advised consumers about the incident via the
PlayStation website, the media and by email; and
has since implemented various new security measures such as
appointing a Chief Information Security Officer.
However, the Commissioner also expressed his concerns that Sony
allowed 7 days to elapse before notifying its customers, and
strongly recommended that Sony review how it applies the
OAIC's Guide to handling personal information security
breaches in light of the high risk of serious harm Sony's
customers were exposed to after the cyber-attack.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
Those types of personal disclosure may still be permitted under the Privacy Act as long as your house is in order.
Some comments from our readers… “The articles are extremely timely and highly applicable” “I often find critical information not available elsewhere” “As in-house counsel, Mondaq’s service is of great value”
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).