Why I think Sony are wrong to claim they withdrew their databreach fine appeal because of concerns about disclosing sensitive information
So, Sony have withdrawn their appeal of the £250,000 Monetary Penalty Notice served on them by the Information Commissioner (ICO), following the 2011 hack of the Playstation Network which exposed the details of millions of subcribers. I blogged at the time
my suspicious nature makes me wonder if they will ultimately pursue the appeal. Although it will cost them nothing, this isn’t about cost, but reputation, and do Sony really want to risk another day of bad headlines about their data security, in the event that they lose the appeal?
Whether the fear of further publicity was a factor in the withdrawal is impossible to say, but Sony’s public statements about the withdrawal hark back to another point I noted at the time. The ICO’s notice was heavily redacted, clearly to avoid disclosing commercially confidential or sensitive aspects of Sony’s network security, in line with ICO commitment to do so (7.3 in his Monetary Penalty Guidance). However Sony, in withdrawing their appeal to the First-tier Tribunal, now say
After careful consideration we are withdrawing our appeal. This decision reflects our commitment to protect the confidentiality of our network security from disclosures in the course of the proceeding. We continue to disagree with the decision on the merits
This rather disingenuously overlooks the fact that the Rules which govern tribunal proceedings expressly allow for parts of the hearing to be in private (Rule 35.2 of The Tribunal Procedure (First-tier Tribunal) (General Regulatory Chamber) Rules 2009). So, while they are entitled to continue to disagree with the decision on the merits (reminds me of the cricket umpire who, when confronted with a batsman saying “That wasn’t out!” replied “Oh no? Let’s see what the newspapers say in the morning”) everyone else can be satisfied that Sony were correctly served a £250,000 Monetary Penalty Notice for a serious contravention of the Data Protection Act 1998, and that they chose not to pursue their right of appeal. And they’ve missed their chance for a 20% early payment discount (although that’s hardly going to worry their financial backers).
It’s a victory for the ICO, as well: he is often criticised for failing to take on the big private sector tech and social media companies. In this case, he did, and he won.
informationrightsandwrongs 
One case out of dozens doesn’t not remove my suspicion that the ICO shies away from the private sector and DP. However, you’re right to say that Sony’s position seems disingenuous. Mounting an appeal – even though it means the loss of the discount – has a significant advantage. Sony could counter the bad headlines at the time by stating that they would appeal avoiding the inconvenient question of their failings. More recently, Nev Wilshire, the publicity-seeking owner of 2 business fined for PECR breaches was nowhere to be seen when the CMPs landed. Instead, he hid behind a faceless spokesperson statement about an imminent appeal. Nothing the ICO can do about this, but it’s a shame that the media don’t pick them up on it.
Pingback: Substantial distress or just a nuisance? | inforightsandwrongs